- list: cat_binaries
  items: [cat]

- macro: is_cat
  condition: proc.name in (not_cat)

- macro: is_cat
  condition: proc.name in (cat_binaries)
  
- rule: open_from_cat
  desc: A process named cat does an open
  condition: evt.type=open and is_cat
  output: "An open was seen (command=%proc.cmdline)"
  priority: WARNING