leogr · October 25, 2020 10:33
diff --git a/falco_rule_skeleton.yaml b/falco_rule_skeleton.yaml
 # A Falco rules file is a YAML file containing three types of elements:
 #
 # - rule:  Conditions under which an alert should be generated. 
 #          A rule is accompanied by a descriptive output string that is sent with the alert.
 #
 # - macro: Rule condition snippets that can be re-used inside rules and even other macros.
 #          Macros provide a way to name common patterns and factor out redundancies in rules.
 #
 # - list: Collections of items that can be included in rules, macros, or other lists.
 #         Unlike rules and macros, lists cannot be parsed as filtering expressions.

 - rule: # A short, unique name for the rule
  desc: # A longer description of what the rule detects
  condition: # A filtering expression that is applied against events 
  output: # Specifies the message that should be output if a matching event occurs
  priority: # EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, etc...
	# A Falco rules file is a YAML file containing three types of elements:
	#
	# - rule: Conditions under which an alert should be generated.
	# A rule is accompanied by a descriptive output string that is sent with the alert.
	#
	# - macro: Rule condition snippets that can be re-used inside rules and even other macros.
	# Macros provide a way to name common patterns and factor out redundancies in rules.
	#
	# - list: Collections of items that can be included in rules, macros, or other lists.
	# Unlike rules and macros, lists cannot be parsed as filtering expressions.

	- rule: # A short, unique name for the rule
	desc: # A longer description of what the rule detects
	condition: # A filtering expression that is applied against events
	output: # Specifies the message that should be output if a matching event occurs
	priority: # EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, etc...