Define a list of allowed image prefixes or process names that represent trusted container workloads
Write a macro 'trusted_container' using 'container.image.repository' to check membership against that list
Write a second macro 'interactive_session' combining evt.type checks for open/read with 'proc.tty != 0'
Reference these macros in multiple rules using logical composition with 'and not trusted_container' to suppress noise
Place shared macros and lists in a dedicated include file and reference it via 'rules_file' ahead of rule files that consume them
Known gotchas
Macro names are global; a macro defined in one file can be silently overridden by another file loaded later, so load order in falco.yaml matters
The 'append' keyword can extend an existing list or macro — use 'append: true' under the list/macro definition to add items without replacing the original
Avoid using container.image.repository in rules triggered by non-container host events; the field will be empty and conditions using it will not match as expected
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp