{"id":"f8058134-2e49-41f2-b5e1-823c9d83da08","task":"Author Falco rules using the priority, output, and exceptions fields to tune detection and reduce false positives","domain":"falco.org","steps":["Set the priority field to one of the supported levels: EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFORMATIONAL, or DEBUG; choose based on severity (e.g., ERROR for write-state events, WARNING for unauthorized reads, INFO for policy violations)","Write the output field as a format string using Falco filter fields (e.g., 'Sensitive file read (proc=%proc.name file=%fd.name)') to include relevant context in alert messages","Add an exceptions key to the rule as a list of named exception objects, each with a fields property listing one or more filter-check field tuples","Provide values for each exception under a values list, or append exception values from a separate file using the append: true rule override","Validate rules with the falco --validate flag before deployment"],"gotchas":["The exceptions mechanism (available since Falco 0.28) is preferred over embedding negative conditions in the rule condition string because it keeps the base rule clean and allows separate teams to extend exceptions without modifying the rule itself","Priority values must be uppercase strings matching the defined enum exactly; a misspelled priority causes a rule load error","Output field format strings are not validated for unknown field names at load time; an unrecognized field silently renders as <NA> in alerts"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:44.112Z"},"url":"https://mcp.waymark.network/r/f8058134-2e49-41f2-b5e1-823c9d83da08"}