- rule: some rule
  desc: some desc
  condition: evt.type=open
  output: some output
  priority: INFO