Falco Rules

Write and customize Falco Rules to secure your environment

A Falco rules file is a YAML file containing mainly three types of elements:

ElementDescription
RulesConditions under which an alert should be generated. A rule is accompanied by a descriptive output string that is sent with the alert.
MacrosRule condition snippets that can be re-used inside rules and even other macros. Macros provide a way to name common patterns and factor out redundancies in rules.
ListsCollections of items that can be included in rules, macros, or other lists. Unlike rules and macros, lists cannot be parsed as filtering expressions.

Falco rules files can also contain two optional elements related to versioning:

ElementDescription
required_engine_versionUsed to track compatibility between rules content and the falco engine version.
required_plugin_versionsUsed to track compatibility between rules content and plugin versions.

The Falco organization maintains a rules repository that provides easy-to-install rules and examples for rule writers. You can learn more about the default and custom rulesets in the documentation.

We recommend carefully reading each dedicated guide below. In addition, here is a list of recent Falco blog posts that may be of interest to you and can help guide you in finding the optimal use of Falco and its rules for your use cases: