Falco Rules
A Falco rules file is a YAML file containing mainly three types of elements:
Element | Description |
---|---|
Rules | Conditions under which an alert should be generated. A rule is accompanied by a descriptive output string that is sent with the alert. |
Macros | Rule condition snippets that can be re-used inside rules and even other macros. Macros provide a way to name common patterns and factor out redundancies in rules. |
Lists | Collections of items that can be included in rules, macros, or other lists. Unlike rules and macros, lists cannot be parsed as filtering expressions. |
Falco rules files can also contain two optional elements related to versioning:
Element | Description |
---|---|
required_engine_version | Used to track compatibility between rules content and the falco engine version. |
required_plugin_versions | Used to track compatibility between rules content and plugin versions. |
The Falco organization maintains a rules repository that provides easy-to-install rules and examples for rule writers. You can learn more about the default and custom rulesets in the documentation.
We recommend carefully reading each dedicated guide below. In addition, here is a list of recent Falco blog posts that may be of interest to you and can help guide you in finding the optimal use of Falco and its rules for your use cases:
- Adaptive Syscalls Selection in Falco
- Validating NIST Requirements with Falco
- PCI/DSS Controls with Falco
- Defensive Capabilities for Container & Cloud Threats with Tidal
Basic Elements of Falco Rules
Understand Falco Rules, Lists and Macros
Default and Local Rules Files
Falco provides default rules, but you can add your own
Condition Syntax
Learn how to write conditions for a Falco Rule
Overriding Rules
Overriding Falco rules
Rule Exceptions
Add exceptions to Falco Rules to adapt them to your environment
Controlling Rules
Disable default rules or use tags to load Falco Rules selectively
Custom Ruleset
Start writing your first custom Falco rules
Escaping Special Characters
Escape special characters in your Falco Rules
Style Guide of Falco Rules
Adopt best practices when writing and contributing Falco rules
Accessing File System Paths in Falco Rules
How fs.path.* fields work
Adoption of Falco Rules in Production
How to adopt Falco rules in real-life production
Resolving Domain Names in Falco Rules
How fd.sip.name and related fields work
Using the pmatch Operator to Match File System Paths
How the pmatch Operator Works
Rule Format Version
Understand how Falco Rules support explicit versioning
IDE Support
IDE Support for Falco Rules Files
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.