Falco Rules
A Falco rules file is a YAML file containing mainly three types of elements:
| Element | Description |
|---|---|
| Rules | Conditions under which an alert should be generated. A rule is accompanied by a descriptive output string that is sent with the alert. |
| Macros | Rule condition snippets that can be re-used inside rules and even other macros. Macros provide a way to name common patterns and factor out redundancies in rules. |
| Lists | Collections of items that can be included in rules, macros, or other lists. Unlike rules and macros, lists cannot be parsed as filtering expressions. |
Falco rules files can also contain two optional elements related to versioning:
| Element | Description |
|---|---|
required_engine_version | Used to track compatibility between rules content and the falco engine version. |
required_plugin_versions | Used to track compatibility between rules content and plugin versions. |
Basic Elements of Falco Rules
Understand Falco Rules, Lists and Macros
Default and Local Rules Files
Falco provides default rules, but you can add your own
Condition Syntax
Learn how to write conditions for a Falco Rule
Extending Rules
Appending to Lists, Rules, and Macros
Rule Exceptions
Add exceptions to Falco Rules to adapt them to your environment
Controlling Rules
Disable default rules or use tags to load Falco Rules selectively
Escaping Special Characters
Escape special characters in your Falco Rules
Resolving Domain Names in Falco Rules
How fd.sip.name and related fields work
Rule Format Version
Understand how Falco Rules support explicit versioning
IDE Support
IDE Support for Falco Rules Files
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.