Create a falco_rules.local.yaml file and define a list of known web server executables using the 'list' keyword with a descriptive name
Define a macro that checks whether the process name is in your web server list using 'proc.name in (list_name)' syntax
Write a rule with 'condition' combining your macro with 'evt.type = connect' and an outbound fd.net check to scope to external connections
Set 'priority', 'output' (including fields like proc.name, fd.rip, and container.id), and 'desc' fields on the rule
Apply the local rules file to Falco by passing it with the '-r' flag or adding it under the 'rules_file' key in falco.yaml
Trigger a test connection from a web server process and confirm the alert appears in Falco output
Known gotchas
Lists used inside a macro must be defined before the macro in the file; Falco processes rules files top-to-bottom and will error on forward references
The condition field must reference only valid Falco field selectors; check the supported fields for the relevant evt.type before writing conditions
falco_rules.local.yaml overrides default rules with matching names — if your rule name collides with a bundled rule, your version takes precedence, which may suppress the original
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp