Create a custom rules file (e.g., custom_rules.yaml) alongside the default Falco rules directory
Define a list for trusted images and a macro for container context using the `list` and `macro` keywords
Write a rule with `condition: evt.type = execve and container and not proc.name in (trusted_procs)` and set `priority: WARNING`
Set `output` to include `%container.id`, `%proc.name`, `%proc.cmdline`, and `%user.name` for actionable alerts
Mount the custom rules file into the Falco pod or reference it in `falco.yaml` under `rules_file`
Restart Falco and verify rule loading with `falco --dry-run` or by checking startup logs for rule parse errors
Known gotchas
Falco evaluates rules in file order; a later `override` block is required to extend or replace a base rule rather than silently duplicating it
The `execve` event fires for every process launch including init containers and health-check scripts — keep the trusted list accurate to avoid alert fatigue
Field names differ between Falco versions; always verify field availability with `falco --list` for your installed version
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp