- macro: my_macro
  condition: proc.name=not-cat

- macro: my_macro
  append: true
  condition: or proc.name=cat

- rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and my_macro
  output: "An open was seen (command=%proc.cmdline)"
  priority: WARNING