Chapter 6. Fields and Filters
Itâs finally time to take all the theory you learned in the previous chapters and start putting it into practice. In this chapter you will learn about Falco filters: what they are, how they work, and how to use them.
Filters are at the core of Falco. They are also a powerful investigation instrument that can be used in several other tools, such as sysdig. As a consequence, we expect that you will come back and consult this chapter often, even after finishing the bookâso weâve structured it to be used as a reference. For example, it contains tables with all of the operators and data types the filtering language provides, designed for quick consultation, as well as a well-documented list of Falcoâs most useful fields. This chapterâs contents will be handy pretty much every time you write a Falco rule, so make sure to bookmark it!
What Is a Filter?
Letâs start with a semiformal definition:
A filter in Falco is a condition containing a sequence of comparisons that are connected by Boolean operators. Each of the comparisons evaluates a field, which is extracted from an input event, against a constant, using a relational operator. Comparisons in filters are evaluated left to right, but parentheses can be used to define precedence. A filter is applied to an input event and returns a Boolean result indicating if the event matches the filter.
Ouch. That description is extremely dry and somewhat complicated. But if we unpack it, with the aid ...
Get Practical Cloud Native Security with Falco now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
