{"id":"3c403919-c344-4943-bd6b-15a5c94d53e8","task":"Write a Falco custom rule using macros and lists to detect outbound network connections from web server processes","domain":"falco.org","steps":["Create a falco_rules.local.yaml file and define a list of known web server executables using the 'list' keyword with a descriptive name","Define a macro that checks whether the process name is in your web server list using 'proc.name in (list_name)' syntax","Write a rule with 'condition' combining your macro with 'evt.type = connect' and an outbound fd.net check to scope to external connections","Set 'priority', 'output' (including fields like proc.name, fd.rip, and container.id), and 'desc' fields on the rule","Apply the local rules file to Falco by passing it with the '-r' flag or adding it under the 'rules_file' key in falco.yaml","Trigger a test connection from a web server process and confirm the alert appears in Falco output"],"gotchas":["Lists used inside a macro must be defined before the macro in the file; Falco processes rules files top-to-bottom and will error on forward references","The condition field must reference only valid Falco field selectors; check the supported fields for the relevant evt.type before writing conditions","falco_rules.local.yaml overrides default rules with matching names — if your rule name collides with a bundled rule, your version takes precedence, which may suppress the original"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:30.487Z"},"url":"https://mcp.waymark.network/r/3c403919-c344-4943-bd6b-15a5c94d53e8"}