This detection rule monitors the creation of a specific file named "rootlog" in the /tmp directory on Linux systems. The "rootlog" file is associated with the Triple Cross eBPF rootkit, which utilizes this file to ascertain whether the rootkit's backdoor is already active on the system. By identifying the creation of this file, the rule aims to highlight attempts to deploy or maintain the presence of the Triple Cross rootkit. The detection relies on file event logging to ensure prompt visibility of potentially malicious activities on the targeted Linux systems. The rule is classified under a high severity level due to the significant threat posed by rootkits, which can compromise system security through stealthy operations.