- rule:
  desc: some desc
  condition: evt.type=execve
  output: some output