Rule fields

Last modified December 19, 2022
Understand what role each field in a rule plays

A Falco rule can contain the following keys:

KeyRequiredDescriptionDefault
ruleyesA short, unique name for the rule.
conditionyesA filtering expression that is applied against events to check whether they match the rule.
descyesA longer description of what the rule detects.
outputyesSpecifies the message that should be output if a matching event occurs. See output.
priorityyesA case-insensitive representation of the severity of the event. Should be one of the following: emergency, alert, critical, error, warning, notice, informational, debug.
exceptionsnoA set of exceptions that cause the rule to not generate an alert.
enablednoIf set to false, a rule is neither loaded nor matched against any events.true
tagsnoA list of tags applied to the rule (more on this below).
warn_evttypesnoIf set to false, Falco suppresses warnings related to a rule not having an event type (more on this below).true
skip-if-unknown-filternoIf set to true, if a rule conditions contains a filtercheck, e.g. fd.some_new_field, that is not known to this version of Falco, Falco silently accepts the rule but does not execute it; if set to false, Falco repots an error and exists when finding an unknown filtercheck.false
sourcenoThe event source for which this rule should be evaluated. Typical values are syscall, k8s_audit, or the source advertised by a source plugin.syscall