Explore the Official Documentation for a starting point and better understanding of rule concepts. Users can modify the community-contributed Falco rules to fit their needs or use them as examples. In most cases, users also create their own custom rules. Keep in mind that the rules in this repository are related to Falco's primary monitoring functions, specifically for syscalls and container events. Meanwhile, Falco plugin rules are stored within the respective subfolders of the Plugins repository.
Because Falco rules, especially Sandbox and Incubating rules, are dynamic, it's crucial to stay updated. As threats and systems evolve, Falco evolves with each release. Therefore, regularly check the Rules Overview Document, Falco's Supported Fields, and Falco's release notes with every new release. It is recommended to consistently use the most recent Falco Release to avoid compatibility issues.
Important: The Falco Project only guarantees that the most recent rules releases are compatible with the latest Falco release. Discover all rule files in the rules/ folder. Refer to our Release Process and Rules Maturity Framework for rule categorization, release procedures, and usage guidelines. Published upon tagging a new release, the maturity_stable rules in the falco_rules.yaml file are included in the Falco release package. Other maturity-level rules are released separately, requiring explicit installation and possible customization for effective Adoption.
Beginning with rules version 3.0.0, the required_engine_version follows Semantic Versioning and requires Falco version 0.37.0 or higher. Since rules version 2.0.0, we've modified our rules' shipping and distribution process. With Falco >= 0.37.0, Selective Rules Overrides aim to further streamline the customization of rules. Since Falco 0.36.0, you can use the rule_matching config to resolve issues with rules overlapping, which is caused by the default "first match wins" principle. Starting from Falco 0.35.0, you have precise control over the syscalls that are being monitored, see base_syscalls. Lastly, keep in mind that the Rules Maturity Framework is a best effort on the part of the community, and ultimately, you have to decide if any rules are useful for your use cases.
Be cautious: The main branch has the latest development. Before using rules from the main branch, check for compatibility. Changes like new output fields might cause incompatibilities with the latest stable Falco release. The Falco Project recommends using rules only from the release branches. Lastly, we'd like to highlight the importance of regular engineering effort to effectively adopt Falco rules. Considering that each adopter's system and monitoring needs are unique, it's advisable to view the rules as examples.
Debugging: Historically, we've noted that issues often arise either from incorrect configurations or genuine bugs, acknowledging that no software is entirely bug-free. The Falco Project continually updates its Install and Operate and Troubleshooting guides. We kindly suggest reviewing these guides. In the context of Falco rules, missing fields, such as container images, may be anticipated within our imperfection tolerances under certain circumstances. We are committed to addressing and resolving issues within our control.
Explore the Official Documentation for a starting point and better understanding of rule concepts. Users can modify the community-contributed Falco rules to fit their needs or use them as examples. In most cases, users also create their own custom rules. Keep in mind that the rules in this repository are related to Falco's primary monitoring functions, specifically for syscalls and container events. Meanwhile, Falco plugin rules are stored within the respective subfolders of the Plugins repository.
Because Falco rules, especially Sandbox and Incubating rules, are dynamic, it's crucial to stay updated. As threats and systems evolve, Falco evolves with each release. Therefore, regularly check the Rules Overview Document, Falco's Supported Fields, and Falco's release notes with every new release. It is recommended to consistently use the most recent Falco Release to avoid compatibility issues.
Important: The Falco Project only guarantees that the most recent rules releases are compatible with the latest Falco release. Discover all rule files in the 
Beginning with rules version 3.0.0, the required_engine_version follows 
Be cautious: The main branch has the latest development. Before using rules from the main branch, check for compatibility. Changes like new output fields might cause incompatibilities with the latest stable Falco release. The Falco Project recommends using rules only from the release branches. Lastly, we'd like to highlight the importance of regular engineering effort to effectively adopt Falco rules. Considering that each adopter's system and monitoring needs are unique, it's advisable to view the rules as examples.
Debugging: Historically, we've noted that issues often arise either from incorrect configurations or genuine bugs, acknowledging that no software is entirely bug-free. The Falco Project continually updates its