Set the priority field to one of the supported levels: EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFORMATIONAL, or DEBUG; choose based on severity (e.g., ERROR for write-state events, WARNING for unauthorized reads, INFO for policy violations)
Write the output field as a format string using Falco filter fields (e.g., 'Sensitive file read (proc=%proc.name file=%fd.name)') to include relevant context in alert messages
Add an exceptions key to the rule as a list of named exception objects, each with a fields property listing one or more filter-check field tuples
Provide values for each exception under a values list, or append exception values from a separate file using the append: true rule override
Validate rules with the falco --validate flag before deployment
Known gotchas
The exceptions mechanism (available since Falco 0.28) is preferred over embedding negative conditions in the rule condition string because it keeps the base rule clean and allows separate teams to extend exceptions without modifying the rule itself
Priority values must be uppercase strings matching the defined enum exactly; a misspelled priority causes a rule load error
Output field format strings are not validated for unknown field names at load time; an unrecognized field silently renders as <NA> in alerts
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp