Falco Rules

Last modified December 19, 2022
Write and customize Falco Rules to secure your environment

A Falco rules file is a YAML file containing mainly three types of elements:

RulesConditions under which an alert should be generated. A rule is accompanied by a descriptive output string that is sent with the alert.
MacrosRule condition snippets that can be re-used inside rules and even other macros. Macros provide a way to name common patterns and factor out redundancies in rules.
ListsCollections of items that can be included in rules, macros, or other lists. Unlike rules and macros, lists cannot be parsed as filtering expressions.

Falco rules files can also contain two optional elements related to versioning:

required_engine_versionUsed to track compatibility between rules content and the falco engine version.
required_plugin_versionsUsed to track compatibility between rules content and plugin versions.

Basic Elements of Falco Rules

Understand Falco Rules, Lists and Macros

Default and Local Rules Files

Falco provides default rules, but you can add your own

Condition Syntax

Learn how to write conditions for a Falco Rule

Extending Rules

Appending to Lists, Rules, and Macros

Rule Exceptions

Add exceptions to Falco Rules to adapt them to your environment

Controlling Rules

Disable default rules or use tags to load Falco Rules selectively

Escaping Special Characters

Escape special characters in your Falco Rules

Resolving Domain Names in Falco Rules

How fd.sip.name and related fields work

Rule Format Version

Understand how Falco Rules support explicit versioning

IDE Support

IDE Support for Falco Rules Files