Basic Elements of Falco Rules
Understand Falco Rules, Lists and Macros
Falco Rules
Last modified December 19, 2022
Write and customize Falco Rules to secure your environment
A Falco rules file is a YAML file containing mainly three types of elements:
| Element | Description |
|---|---|
| Rules | Conditions under which an alert should be generated. A rule is accompanied by a descriptive output string that is sent with the alert. |
| Macros | Rule condition snippets that can be re-used inside rules and even other macros. Macros provide a way to name common patterns and factor out redundancies in rules. |
| Lists | Collections of items that can be included in rules, macros, or other lists. Unlike rules and macros, lists cannot be parsed as filtering expressions. |
Falco rules files can also contain two optional elements related to versioning:
| Element | Description |
|---|---|
required_engine_version | Used to track compatibility between rules content and the falco engine version. |
required_plugin_versions | Used to track compatibility between rules content and plugin versions. |
Default and Local Rules Files
Falco provides default rules, but you can add your own
Default Macros
Falco provides default macros to enhance your rules
Condition Syntax
Learn how to write conditions for a Falco Rule
Extending Rules
Appending to Lists, Rules, and Macros
Rule Exceptions
Add exceptions to Falco Rules to adapt them to your environment
Controlling Rules
Disable default rules or use tags to load Falco Rules selectively
Escaping Special Characters
Escape special characters in your Falco Rules
Resolving Domain Names in Falco Rules
How fd.sip.name and related fields work
Rule Format Version
Understand how Falco Rules support explicit versioning
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified December 19, 2022: update(docs): add descriptions where missing in frontmatter (0e41219)