This feature is available in Enterprise Edition only.
This feature is actively developed. It might significantly change in the future.

FalcoAuditRules

Scope: Cluster
Version: v1alpha1

  • specobject

    Required value

    • spec.requiredEngineVersioninteger

      Used to ensure compatibility between the rules content and the Falco engine version.

    • spec.requiredK8sAuditPluginVersionstring

      Used to ensure compatibility between the rules content and plugin versions.

    • spec.rulesarray of objects

      Required value

      Describes the Falco rules that will be applied to monitor the cluster runtime.

      These rules help detect threats at runtime by observing the behavior of your applications and containers.

      Refer to the Falco documentation and reference for more details.

      Minimal length: 1

      • spec.rules.listobject

        Collections of items that can be included in rules, macros, or other lists.

        Unlike rules and macros, lists cannot be parsed as filtering expressions.

        • spec.rules.list.itemsarray

          Required value

          A list of values.

        • spec.rules.list.namestring

          Required value

          A unique name for the list (as a slug).

      • spec.rules.macroobject

        Rule condition snippets that can be re-used inside other rules and even macros.

        Macros provide a way to name common patterns and eliminate redundancies in the rules.

        • spec.rules.macro.conditionstring

          Required value

          A filtering expression that is applied to events to check whether they match the rule.

        • spec.rules.macro.namestring

          Required value

          A short, unique name for the macro.

      • spec.rules.ruleobject

        Defines the conditions under which an alert is to be generated.

        The rule is accompanied by a descriptive output string that is sent with an alert.

        • spec.rules.rule.conditionstring

          Required value

          A filtering expression that is applied to events to check whether they match the rule.

        • spec.rules.rule.descstring

          Required value

          A detailed description of what the rule detects.

        • spec.rules.rule.enabledboolean

          If set to false, a rule is neither loaded nor matched against any events.

          Default: true

        • spec.rules.rule.namestring

          Required value

          A short, unique name for the rule.

        • spec.rules.rule.outputstring

          Required value

          A message to output if a matching event occurs.

        • spec.rules.rule.prioritystring

          Required value

          A severity of the event.

          Allowed values: Emergency, Alert, Critical, Error, Warning, Notice, Informational, Debug

        • spec.rules.rule.sourcestring

          The event source for which this rule is to be evaluated.

          Default: "Syscall"

          Allowed values: Syscall, K8sAudit

        • spec.rules.rule.tagsarray of strings

          A list of tags applied to the rule.