def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("type", default="") == "EXECVE",
                    event.deep_get("a0", default="") == "arecord",
                    event.deep_get("a1", default="") == "-vv",
                    event.deep_get("a2", default="") == "-fdat",
                ]
            ),
            all(
                [
                    event.deep_get("type", default="") == "SYSCALL",
                    event.deep_get("exe", default="").endswith("/ecasound"),
                    event.deep_get("SYSCALL", default="") == "memfd_create",
                ]
            ),
        ]
    ):
        return True
    return False
