falco_extended_rules: The Security Arsenal Every DevOps Team Needs
Container security just got a massive upgrade. If you're running Kubernetes clusters and struggling to map runtime threats to known attack frameworks, you're not alone. falco_extended_rules delivers a battle-tested collection of detection rules directly aligned with the MITRE ATT&CK matrix, transforming Falco from a basic monitor into a sophisticated threat detection engine. This repository solves the critical gap between raw system events and actionable security intelligence.
In this deep dive, you'll discover how CloudDefenseAI's extended rules detect 20+ attack techniques across persistence, discovery, defense evasion, and impact categories. We'll walk through real installation commands, examine actual rule implementations, and explore production-ready use cases that stop adversaries cold. Whether you're a security engineer, DevOps lead, or platform architect, this guide gives you everything needed to deploy enterprise-grade runtime security in under 30 minutes.
What is falco_extended_rules?
falco_extended_rules is a curated open-source repository developed by CloudDefenseAI that supercharges Falco's detection capabilities with MITRE ATT&CK mapped security rules. Falco itself is the CNCF-backed runtime security tool that monitors system calls and streams behavioral activity from containers and Kubernetes clusters. While Falco's default rule set provides solid baseline coverage, it lacks comprehensive mapping to standardized attack frameworks that modern security operations centers require.
CloudDefenseAI, a cloud-native security innovator, built this repository to bridge that gap. The project contains custom_rules.yaml files that extend Falco's native detection logic with precise mappings to the MITRE ATT&CK Enterprise Cloud Matrix. Each rule targets specific adversary behaviors like account manipulation in SSH, suspicious disk wiping, bash history access, and peripheral device enumeration.
The repository is trending because it solves three critical pain points: standardization (universal attack language), coverage (20+ advanced detection scenarios), and speed (deploy via falcoctl in seconds). Security teams no longer need to manually research ATT&CK techniques and write corresponding Falco rules from scratch. This collection does the heavy lifting, letting you focus on incident response rather than detection engineering.
Key Features That Make It Revolutionary
MITRE ATT&CK Precision Mapping – Every single rule directly correlates to a specific MITRE tactic. The repository covers Persistence, Discovery, Defense Evasion, Credential Access, Collection, and Impact categories. This alignment means your SOC analysts immediately understand threat context without translating Falco alerts into ATT&CK terminology manually.
20+ Production-Ready Rules – The collection includes highly specific detections like suspicious network scanning commands, domain trust enumeration, archive and compression activity, and systemctl service disabling. Each rule is crafted to minimize false positives while catching real attacker behavior in containerized environments.
Dual Installation Methods – Choose between traditional Git clone workflows or modern falcoctl artifact management. The falcoctl approach enables version pinning, automated updates, and declarative configuration through the index.yaml registry pattern.
Kubernetes-Native Design – Rules are optimized for container runtimes, understanding that PID namespaces, overlay filesystems, and ephemeral pods create unique detection challenges. The logic accounts for orchestrator-specific behaviors that generic Linux rules miss.
Active Community & Continuous Updates – CloudDefenseAI maintains a Discord community where security practitioners share tuning tips, report false positives, and contribute improvements. The repository explicitly welcomes contributions with clear guidelines.
Zero Performance Impact – Rules leverage Falco's kernel-level eBPF probe or kernel module architecture, ensuring sub-millisecond evaluation latency. The selective rule loading mechanism means you only enable what you need, keeping overhead minimal.
Real-World Use Cases That Stop Breaches
1. Cryptomining Detection in Compromised Pods
Attackers frequently breach containerized workloads and deploy cryptominers. The Suspicious System Information Gathering rule detects lscpu, nproc, and free commands used for mining viability assessment. Combined with Network Scanning Command detection, you catch reconnaissance before the miner payload drops. When a pod suddenly executes tar or gzip to download mining binaries, the Archive and Compression Activity rule fires, giving you seconds to kill the pod and isolate the node.
2. Lateral Movement Discovery in Cluster Compromise
After initial access, attackers map the Kubernetes environment. The Enumerate Domain Trusts and Permission and Group Members Discovery rules detect ldapsearch, getent, and id commands that reveal trust relationships and privileged accounts. The Detect Peripheral Device Enumeration Commands catches lsusb and lspci usage, often precursors to privilege escalation via driver exploits. These alerts correlate into a clear ATT&CK Discovery pattern, triggering automated network segmentation via Falco's response engine.
3. Data Exfiltration and Destruction Prevention
Ransomware groups target Kubernetes persistent volumes. The Suspicious Disk Activity rule monitors dd, shred, and wipe commands writing to raw block devices. Detect Data Destruction Activity catches rm -rf / patterns and file overwrites. For exfiltration, Archive and Compression Activity detects zip -r or tar cvf packaging sensitive directories. Mapped to Mitre Impact, these rules enable automated volume snapshots and backup isolation before damage spreads.
4. Credential Harvesting in CI/CD Pipelines
Compromised build pods often attempt credential theft. The Attempt to Access Bash History File rule fires when processes read ~/.bash_history, revealing hardcoded secrets. Read Maps File of Process detects cat /proc/[pid]/maps scraping, a technique to extract credentials from memory. In CI/CD contexts where bash history contains AWS keys or Docker registry tokens, this detection is critical for preventing supply chain attacks.
Step-by-Step Installation & Setup Guide
Prerequisites Check
Before installation, verify your environment meets these requirements:
- Falco 0.35.0+ installed on Kubernetes nodes or standalone hosts
- falco.yaml configuration file with external rule loading enabled
- sudo access for service management
- For falcoctl method: falcoctl binary installed (comes with Falco 0.35+)
Method 1: Local Git Installation
Clone the repository to access all rule files:
git clone https://github.com/CloudDefenseAI/falco_extended_rules.git
cd falco_extended_rules
Copy the extended rules to Falco's configuration directory:
sudo cp custom_rules.yaml /etc/falco/rules.d/
Edit your falco.yaml to load the new rules:
rules_file:
- /etc/falco/falco_rules.yaml
- /etc/falco/falco_rules.local.yaml
- /etc/falco/rules.d/custom_rules.yaml
Restart Falco to apply changes:
# For systemd systems
sudo systemctl restart falco
# For non-systemd systems
sudo service falco restart
Verify rule loading:
sudo falco --list-rules | grep -i "custom"
Method 2: Falcoctl Modern Installation
Add the CloudDefenseAI rule index to falcoctl:
sudo falcoctl index add clouddefense https://raw.githubusercontent.com/CloudDefenseAI/falco_extended_rules/master/index.yaml
Install the latest rule artifact:
sudo falcoctl artifact install falco_extended_rules:latest
Falcoctl automatically handles versioning, dependency resolution, and rule placement. Check installed artifacts:
sudo falcoctl artifact list
No manual file copying or configuration editing required. The tool updates falco.yaml automatically and triggers a Falco reload.
REAL Code Examples from the Repository
Example 1: Repository Clone Command
The installation starts with this exact Git command from the README:
# Clone the entire rule set to your local machine
git clone https://github.com/CloudDefenseAI/falco_extended_rules.git
# Change into the repository directory to access rule files
cd falco_extended_rules
This two-line pattern is standard for GitHub-based security tools. The first line fetches all rule definitions, documentation, and the index.yaml file. The second line positions you to copy custom_rules.yaml to Falco's rules.d directory.
Example 2: Falcoctl Index Configuration
The modern installation uses this declarative approach:
# Add CloudDefenseAI's curated rule index to falcoctl's registry
# This enables version-controlled rule distribution
sudo falcoctl index add clouddefense https://raw.githubusercontent.com/CloudDefenseAI/falco_extended_rules/master/index.yaml
The index.yaml file acts as a package manager manifest, defining available rule versions, checksums, and dependencies. This pattern mirrors Helm repositories or Docker registries, bringing infrastructure-as-code principles to security rule management.
Example 3: Artifact Installation via Falcoctl
# Install the latest version of extended rules
# Falcoctl resolves dependencies and validates rule syntax automatically
sudo falcoctl artifact install falco_extended_rules:latest
The :latest tag pulls the most recent stable rule set. For production environments, pin to specific versions like falco_extended_rules:1.2.3 to prevent unexpected rule changes. Falcoctl validates YAML syntax and Falco rule semantics before installation, catching errors early.
Example 4: Falco Configuration Snippet
The README specifies this exact configuration pattern:
rules_file:
- /etc/falco/falco_rules.yaml # Default Falco rules
- /etc/falco/falco_rules.local.yaml # Local customizations
- /etc/falco/rules.d/custom_rules.yaml # CloudDefenseAI extended rules
The hyphen-prefixed list structure tells Falco to load rules sequentially. Later rules can override earlier ones, allowing CloudDefenseAI's detections to augment or replace default behaviors. The rules.d/ directory pattern enables atomic rule management without editing the main configuration file.
Example 5: Simulated Suspicious Command Detection
Based on the rule table, here's how the Suspicious Network Scanning Command rule likely appears in custom_rules.yaml:
- rule: Suspicious Network Scanning Command
desc: Detects suspicious network scanning commands
condition: >
spawned_process and
(proc.name in (nmap, masscan, zmap) or
(proc.name = "nc" and proc.args contains "-z") or
(proc.name = "tcpdump" and proc.args contains "-i" and proc.args contains "-s0"))
output: >
Network scanning tool executed (user=%user.name command=%proc.cmdline)
priority: WARNING
tags: [mitre_discovery, container, network]
This rule monitors spawned_process events, checking for common scanning tools. The proc.name and proc.args filters catch nmap sweeps, netcat port probes, and tcpdump packet captures. The mitre_discovery tag enables ATT&CK tactic filtering in SIEM integrations.
Advanced Usage & Best Practices
Rule Tuning for Your Environment – The default rules may trigger on legitimate admin activity. Clone the repository and modify custom_rules.yaml to add exceptions. Use user.name != "admin" or container.image.repository in (trusted_repo_list) to reduce noise.
Enable JSON Output for SIEM Integration – Configure Falco to emit JSON logs:
json_output: true
json_include_output_property: true
This enables Splunk, ELK, or Sentinel to parse mitre_discovery tags and build ATT&CK heatmaps automatically.
Use Falco Rules Versioning – Pin rule versions in production:
sudo falcoctl artifact install falco_extended_rules:1.0.0
Create a falcoctl.yaml manifest file to lock versions across clusters, ensuring consistent detection behavior during audits.
Deploy as DaemonSet with ConfigMaps – In Kubernetes, mount custom_rules.yaml via ConfigMap and use falcoctl in an init container to validate rules before Falco starts. This prevents malformed rules from crashing pods.
Correlate Multiple Rules for High-Fidelity Alerts – A single nmap execution might be benign. But nmap followed by bash history access and chmod on /etc/shadow indicates a full attack chain. Use Falco's falco-sidekick to create correlation rules that trigger only on multi-stage attacks.
Comparison with Alternatives
| Feature | falco_extended_rules | Default Falco Rules | Sysdig Secure | Aqua Security |
|---|---|---|---|---|
| MITRE ATT&CK Mapping | ✅ Full coverage (20+ rules) | ❌ Limited mapping | ✅ Commercial only | ✅ Commercial only |
| Installation | Git or falcoctl | Built-in | Agent-based | Agent-based |
| Open Source | ✅ Apache 2.0 | ✅ Apache 2.0 | ❌ Proprietary | ❌ Proprietary |
| Kubernetes Focus | ✅ Optimized | ✅ General | ✅ Deep integration | ✅ Deep integration |
| Community Contributions | ✅ Actively encouraged | ✅ Limited | ❌ Vendor-controlled | ❌ Vendor-controlled |
| Rule Count | 20+ specialized | 50+ generic | 200+ commercial | 150+ commercial |
| Update Frequency | Weekly | Falco release cycle | Daily (commercial) | Weekly (commercial) |
| Cost | Free | Free | $$$ per node | $$$ per node |
Why Choose falco_extended_rules? Unlike commercial tools, you get transparent rule logic that your team can audit, modify, and contribute back. The falcoctl integration provides modern package management that default Falco lacks. While Sysdig and Aqua offer more rules, their black-box nature and high cost make them impractical for startups and mid-market companies. falco_extended_rules delivers 80% of enterprise detection capability at 0% of the cost.
FAQ: Everything You Need to Know
Q: Will these rules slow down my Kubernetes nodes? A: No. Falco's kernel-level architecture evaluates rules in microseconds. The extended rules add negligible overhead because they reuse the same event stream Falco already captures.
Q: Can I use these rules with Falco on AWS Fargate or GCP Cloud Run? A: Partially. Falco requires kernel access, so serverless platforms without privileged mode won't work. For managed Kubernetes (EKS, GKE), deploy Falco as a DaemonSet with privileged: true.
Q: How do I handle false positives from legitimate scanning tools? A: Edit custom_rules.yaml and add exceptions. For example, append and not proc.aname[2] in (ansible, salt) to exclude configuration management tools.
Q: Are these rules compatible with Falco 0.34.x and older versions? A: The rules require Falco 0.35+ for full syntax support. Older versions may work but lack falcoctl integration. Always test in a staging environment first.
Q: How often should I update the rules? A: Run sudo falcoctl artifact update weekly in development environments. For production, pin versions and review changelogs monthly before updating.
Q: Can I contribute new rules to the repository? A: Absolutely! CloudDefenseAI welcomes contributions. Join their Discord, fork the repository, and submit pull requests with new ATT&CK-mapped detections.
Q: What's the difference between these rules and Falco's default k8s_audit_rules? A: Default rules focus on Kubernetes API audit logs. These extended rules target system call behavior inside containers, catching attacks that never touch the API server.
Conclusion: Your Runtime Security Deserves This Upgrade
falco_extended_rules isn't just another rule set—it's a strategic force multiplier for container security teams. By mapping Falco's powerful system call monitoring to the MITRE ATT&CK framework, CloudDefenseAI has created the missing link between raw runtime events and actionable threat intelligence. The 20+ specialized detections cover attack vectors that default rules miss, from bash history scraping to peripheral device enumeration.
The dual installation methods (Git and falcoctl) make adoption frictionless, whether you're a startup with one cluster or an enterprise managing hundreds. The open-source Apache 2.0 license means zero cost, full auditability, and community-driven improvements.
Don't wait for a breach to validate your detection gaps. Clone the repository today, install via falcoctl, and start catching real adversary behavior in your Kubernetes environment. Join the Discord community to share tuning strategies and contribute back. Your runtime security posture will thank you.
Ready to stop advanced container threats? Head to CloudDefenseAI/falco_extended_rules now and deploy MITRE-grade detection in minutes.
