Rule fields

Understand what role each field in a rule plays

A Falco rule can contain the following keys:

ruleyesA short, unique name for the rule.
conditionyesA filtering expression that is applied against events to check whether they match the rule.
descyesA longer description of what the rule detects.
outputyesSpecifies the message that should be output if a matching event occurs. See output.
priorityyesA case-insensitive representation of the severity of the event. Should be one of the following: emergency, alert, critical, error, warning, notice, informational, debug.
exceptionsnoA set of exceptions that cause the rule to not generate an alert.
enablednoIf set to false, a rule is neither loaded nor matched against any events.true
tagsnoA list of tags applied to the rule (more on this below).
warn_evttypesnoIf set to false, Falco suppresses warnings related to a rule not having an event type (more on this below).true
skip-if-unknown-filternoIf set to true, if a rule conditions contains a filtercheck, e.g. fd.some_new_field, that is not known to this version of Falco, Falco silently accepts the rule but does not execute it; if set to false, Falco repots an error and exists when finding an unknown filtercheck.false
sourcenoThe event source for which this rule should be evaluated. Typical values are syscall, k8s_audit, or the source advertised by a source plugin.syscall
appendnoWhen set to true, it adds conditions and/or exceptions to a previously defined rule or macro instead of overseeding it. Not used when the goal is just to enable an already existing rule. In case of appending to a list, it adds new elements to it.