You are viewing documentation for Falco version: v0.33.1

Falco v0.33.1 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Falco Rules

Last modified December 19, 2022
Write and customize Falco Rules to secure your environment

A Falco rules file is a YAML file containing mainly three types of elements:

ElementDescription
RulesConditions under which an alert should be generated. A rule is accompanied by a descriptive output string that is sent with the alert.
MacrosRule condition snippets that can be re-used inside rules and even other macros. Macros provide a way to name common patterns and factor out redundancies in rules.
ListsCollections of items that can be included in rules, macros, or other lists. Unlike rules and macros, lists cannot be parsed as filtering expressions.

Falco rules files can also contain two optional elements related to versioning:

ElementDescription
required_engine_versionUsed to track compatibility between rules content and the falco engine version.
required_plugin_versionsUsed to track compatibility between rules content and plugin versions.

Basic Elements of Falco Rules

Understand Falco Rules, Lists and Macros

Default and Local Rules Files

Falco provides default rules, but you can add your own

Default Macros

Falco provides default macros to enhance your rules

Condition Syntax

Learn how to write conditions for a Falco Rule

Extending Rules

Appending to Lists, Rules, and Macros

Rule Exceptions

Add exceptions to Falco Rules to adapt them to your environment

Controlling Rules

Disable default rules or use tags to load Falco Rules selectively

Escaping Special Characters

Escape special characters in your Falco Rules

Resolving Domain Names in Falco Rules

How fd.sip.name and related fields work

Rule Format Version

Understand how Falco Rules support explicit versioning