Docs Home
sysdig 1.56.0 published on Wednesday, Apr 30, 2025 by sysdiglabs
sysdig.SecureRuleFalco
Explore with Pulumi AI
sysdig 1.56.0 published on Wednesday, Apr 30, 2025 by sysdiglabs
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as sysdig from "@pulumi/sysdig";
const example = new sysdig.SecureRuleFalco("example", {
description: "A shell was used as the entrypoint/exec point into a container with an attached terminal.",
tags: [
"container",
"shell",
"mitre_execution",
],
condition: "spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint",
output: "A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)",
priority: "notice",
source: "syscall",
exceptions: [
{
name: "proc_names",
fields: ["proc.name"],
comps: ["in"],
values: JSON.stringify([[[
"python",
"python2",
"python3",
]]]),
},
{
name: "container_proc_name",
fields: [
"container.id",
"proc.name",
],
comps: [
"=",
"in",
],
values: JSON.stringify([[
"host",
[
"docker_binaries",
"k8s_binaries",
"lxd_binaries",
"nsenter",
],
]]),
},
{
name: "proc_cmdline",
fields: [
"proc.name",
"proc.cmdline",
],
comps: [
"in",
"contains",
],
values: JSON.stringify([
[
[
"python",
"python2",
"python3",
],
"/opt/draios/bin/sdchecks",
],
[
["java"],
"sdjagent.jar",
],
]),
},
],
});
import pulumi
import json
import pulumi_sysdig as sysdig
example = sysdig.SecureRuleFalco("example",
description="A shell was used as the entrypoint/exec point into a container with an attached terminal.",
tags=[
"container",
"shell",
"mitre_execution",
],
condition="spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint",
output="A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)",
priority="notice",
source="syscall",
exceptions=[
{
"name": "proc_names",
"fields": ["proc.name"],
"comps": ["in"],
"values": json.dumps([[[
"python",
"python2",
"python3",
]]]),
},
{
"name": "container_proc_name",
"fields": [
"container.id",
"proc.name",
],
"comps": [
"=",
"in",
],
"values": json.dumps([[
"host",
[
"docker_binaries",
"k8s_binaries",
"lxd_binaries",
"nsenter",
],
]]),
},
{
"name": "proc_cmdline",
"fields": [
"proc.name",
"proc.cmdline",
],
"comps": [
"in",
"contains",
],
"values": json.dumps([
[
[
"python",
"python2",
"python3",
],
"/opt/draios/bin/sdchecks",
],
[
["java"],
"sdjagent.jar",
],
]),
},
])
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-terraform-provider/sdks/go/sysdig/sysdig"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
tmpJSON0, err := json.Marshal([][][]string{
[][]string{
[]string{
"python",
"python2",
"python3",
},
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
tmpJSON1, err := json.Marshal([][]interface{}{
[]interface{}{
"host",
[]string{
"docker_binaries",
"k8s_binaries",
"lxd_binaries",
"nsenter",
},
},
})
if err != nil {
return err
}
json1 := string(tmpJSON1)
tmpJSON2, err := json.Marshal([]interface{}{
[]interface{}{
[]string{
"python",
"python2",
"python3",
},
"/opt/draios/bin/sdchecks",
},
[]interface{}{
[]string{
"java",
},
"sdjagent.jar",
},
})
if err != nil {
return err
}
json2 := string(tmpJSON2)
_, err = sysdig.NewSecureRuleFalco(ctx, "example", &sysdig.SecureRuleFalcoArgs{
Description: pulumi.String("A shell was used as the entrypoint/exec point into a container with an attached terminal."),
Tags: pulumi.StringArray{
pulumi.String("container"),
pulumi.String("shell"),
pulumi.String("mitre_execution"),
},
Condition: pulumi.String("spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint"),
Output: pulumi.String("A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)"),
Priority: pulumi.String("notice"),
Source: pulumi.String("syscall"),
Exceptions: sysdig.SecureRuleFalcoExceptionArray{
&sysdig.SecureRuleFalcoExceptionArgs{
Name: pulumi.String("proc_names"),
Fields: pulumi.StringArray{
pulumi.String("proc.name"),
},
Comps: pulumi.StringArray{
pulumi.String("in"),
},
Values: pulumi.String(json0),
},
&sysdig.SecureRuleFalcoExceptionArgs{
Name: pulumi.String("container_proc_name"),
Fields: pulumi.StringArray{
pulumi.String("container.id"),
pulumi.String("proc.name"),
},
Comps: pulumi.StringArray{
pulumi.String("="),
pulumi.String("in"),
},
Values: pulumi.String(json1),
},
&sysdig.SecureRuleFalcoExceptionArgs{
Name: pulumi.String("proc_cmdline"),
Fields: pulumi.StringArray{
pulumi.String("proc.name"),
pulumi.String("proc.cmdline"),
},
Comps: pulumi.StringArray{
pulumi.String("in"),
pulumi.String("contains"),
},
Values: pulumi.String(json2),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Sysdig = Pulumi.Sysdig;
return await Deployment.RunAsync(() =>
{
var example = new Sysdig.SecureRuleFalco("example", new()
{
Description = "A shell was used as the entrypoint/exec point into a container with an attached terminal.",
Tags = new[]
{
"container",
"shell",
"mitre_execution",
},
Condition = "spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint",
Output = "A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)",
Priority = "notice",
Source = "syscall",
Exceptions = new[]
{
new Sysdig.Inputs.SecureRuleFalcoExceptionArgs
{
Name = "proc_names",
Fields = new[]
{
"proc.name",
},
Comps = new[]
{
"in",
},
Values = JsonSerializer.Serialize(new[]
{
new[]
{
new[]
{
"python",
"python2",
"python3",
},
},
}),
},
new Sysdig.Inputs.SecureRuleFalcoExceptionArgs
{
Name = "container_proc_name",
Fields = new[]
{
"container.id",
"proc.name",
},
Comps = new[]
{
"=",
"in",
},
Values = JsonSerializer.Serialize(new[]
{
new object?[]
{
"host",
new[]
{
"docker_binaries",
"k8s_binaries",
"lxd_binaries",
"nsenter",
},
},
}),
},
new Sysdig.Inputs.SecureRuleFalcoExceptionArgs
{
Name = "proc_cmdline",
Fields = new[]
{
"proc.name",
"proc.cmdline",
},
Comps = new[]
{
"in",
"contains",
},
Values = JsonSerializer.Serialize(new object?[]
{
new object?[]
{
new[]
{
"python",
"python2",
"python3",
},
"/opt/draios/bin/sdchecks",
},
new object?[]
{
new[]
{
"java",
},
"sdjagent.jar",
},
}),
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.sysdig.SecureRuleFalco;
import com.pulumi.sysdig.SecureRuleFalcoArgs;
import com.pulumi.sysdig.inputs.SecureRuleFalcoExceptionArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new SecureRuleFalco("example", SecureRuleFalcoArgs.builder()
.description("A shell was used as the entrypoint/exec point into a container with an attached terminal.")
.tags(
"container",
"shell",
"mitre_execution")
.condition("spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint")
.output("A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)")
.priority("notice")
.source("syscall")
.exceptions(
SecureRuleFalcoExceptionArgs.builder()
.name("proc_names")
.fields("proc.name")
.comps("in")
.values(serializeJson(
jsonArray(jsonArray(jsonArray(
"python",
"python2",
"python3"
)))))
.build(),
SecureRuleFalcoExceptionArgs.builder()
.name("container_proc_name")
.fields(
"container.id",
"proc.name")
.comps(
"=",
"in")
.values(serializeJson(
jsonArray(jsonArray(
"host",
jsonArray(
"docker_binaries",
"k8s_binaries",
"lxd_binaries",
"nsenter"
)
))))
.build(),
SecureRuleFalcoExceptionArgs.builder()
.name("proc_cmdline")
.fields(
"proc.name",
"proc.cmdline")
.comps(
"in",
"contains")
.values(serializeJson(
jsonArray(
jsonArray(
jsonArray(
"python",
"python2",
"python3"
),
"/opt/draios/bin/sdchecks"
),
jsonArray(
jsonArray("java"),
"sdjagent.jar"
)
)))
.build())
.build());
}
}
resources:
example:
type: sysdig:SecureRuleFalco
properties:
# ID
description: A shell was used as the entrypoint/exec point into a container with an attached terminal.
tags:
- container
- shell
- mitre_execution
condition: spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint
output: A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)
priority: notice
source: syscall
exceptions:
- name: proc_names
fields:
- proc.name
comps:
- in
values:
fn::toJSON:
- - - python
- python2
- python3
- name: container_proc_name
fields:
- container.id
- proc.name
comps:
- =
- in
values:
fn::toJSON:
- - host
- - docker_binaries
- k8s_binaries
- lxd_binaries
- nsenter
- name: proc_cmdline
fields:
- proc.name
- proc.cmdline
comps:
- in
- contains
values:
fn::toJSON:
- - - python
- python2
- python3
- /opt/draios/bin/sdchecks
- - - java
- sdjagent.jar
Create SecureRuleFalco Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SecureRuleFalco(name: string, args?: SecureRuleFalcoArgs, opts?: CustomResourceOptions);@overload
def SecureRuleFalco(resource_name: str,
args: Optional[SecureRuleFalcoArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def SecureRuleFalco(resource_name: str,
opts: Optional[ResourceOptions] = None,
append: Optional[bool] = None,
condition: Optional[str] = None,
description: Optional[str] = None,
exceptions: Optional[Sequence[SecureRuleFalcoExceptionArgs]] = None,
minimum_engine_version: Optional[float] = None,
name: Optional[str] = None,
output: Optional[str] = None,
priority: Optional[str] = None,
secure_rule_falco_id: Optional[str] = None,
source: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
timeouts: Optional[SecureRuleFalcoTimeoutsArgs] = None)func NewSecureRuleFalco(ctx *Context, name string, args *SecureRuleFalcoArgs, opts ...ResourceOption) (*SecureRuleFalco, error)public SecureRuleFalco(string name, SecureRuleFalcoArgs? args = null, CustomResourceOptions? opts = null)
public SecureRuleFalco(String name, SecureRuleFalcoArgs args)
public SecureRuleFalco(String name, SecureRuleFalcoArgs args, CustomResourceOptions options)
type: sysdig:SecureRuleFalco
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecureRuleFalcoArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecureRuleFalcoArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecureRuleFalcoArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecureRuleFalcoArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecureRuleFalcoArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var secureRuleFalcoResource = new Sysdig.SecureRuleFalco("secureRuleFalcoResource", new()
{
Append = false,
Condition = "string",
Description = "string",
Exceptions = new[]
{
new Sysdig.Inputs.SecureRuleFalcoExceptionArgs
{
Name = "string",
Values = "string",
Comps = new[]
{
"string",
},
Fields = new[]
{
"string",
},
},
},
MinimumEngineVersion = 0,
Name = "string",
Output = "string",
Priority = "string",
SecureRuleFalcoId = "string",
Source = "string",
Tags = new[]
{
"string",
},
Timeouts = new Sysdig.Inputs.SecureRuleFalcoTimeoutsArgs
{
Create = "string",
Delete = "string",
Read = "string",
Update = "string",
},
});
example, err := sysdig.NewSecureRuleFalco(ctx, "secureRuleFalcoResource", &sysdig.SecureRuleFalcoArgs{
Append: pulumi.Bool(false),
Condition: pulumi.String("string"),
Description: pulumi.String("string"),
Exceptions: sysdig.SecureRuleFalcoExceptionArray{
&sysdig.SecureRuleFalcoExceptionArgs{
Name: pulumi.String("string"),
Values: pulumi.String("string"),
Comps: pulumi.StringArray{
pulumi.String("string"),
},
Fields: pulumi.StringArray{
pulumi.String("string"),
},
},
},
MinimumEngineVersion: pulumi.Float64(0),
Name: pulumi.String("string"),
Output: pulumi.String("string"),
Priority: pulumi.String("string"),
SecureRuleFalcoId: pulumi.String("string"),
Source: pulumi.String("string"),
Tags: pulumi.StringArray{
pulumi.String("string"),
},
Timeouts: &sysdig.SecureRuleFalcoTimeoutsArgs{
Create: pulumi.String("string"),
Delete: pulumi.String("string"),
Read: pulumi.String("string"),
Update: pulumi.String("string"),
},
})
var secureRuleFalcoResource = new SecureRuleFalco("secureRuleFalcoResource", SecureRuleFalcoArgs.builder()
.append(false)
.condition("string")
.description("string")
.exceptions(SecureRuleFalcoExceptionArgs.builder()
.name("string")
.values("string")
.comps("string")
.fields("string")
.build())
.minimumEngineVersion(0)
.name("string")
.output("string")
.priority("string")
.secureRuleFalcoId("string")
.source("string")
.tags("string")
.timeouts(SecureRuleFalcoTimeoutsArgs.builder()
.create("string")
.delete("string")
.read("string")
.update("string")
.build())
.build());
secure_rule_falco_resource = sysdig.SecureRuleFalco("secureRuleFalcoResource",
append=False,
condition="string",
description="string",
exceptions=[{
"name": "string",
"values": "string",
"comps": ["string"],
"fields": ["string"],
}],
minimum_engine_version=0,
name="string",
output="string",
priority="string",
secure_rule_falco_id="string",
source="string",
tags=["string"],
timeouts={
"create": "string",
"delete": "string",
"read": "string",
"update": "string",
})
const secureRuleFalcoResource = new sysdig.SecureRuleFalco("secureRuleFalcoResource", {
append: false,
condition: "string",
description: "string",
exceptions: [{
name: "string",
values: "string",
comps: ["string"],
fields: ["string"],
}],
minimumEngineVersion: 0,
name: "string",
output: "string",
priority: "string",
secureRuleFalcoId: "string",
source: "string",
tags: ["string"],
timeouts: {
create: "string",
"delete": "string",
read: "string",
update: "string",
},
});
type: sysdig:SecureRuleFalco
properties:
append: false
condition: string
description: string
exceptions:
- comps:
- string
fields:
- string
name: string
values: string
minimumEngineVersion: 0
name: string
output: string
priority: string
secureRuleFalcoId: string
source: string
tags:
- string
timeouts:
create: string
delete: string
read: string
update: string
SecureRuleFalco Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SecureRuleFalco resource accepts the following input properties:
- Append bool
- This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
- Condition string
- A Falco condition is simply a Boolean predicate on Sysdig events expressed using the Sysdig filter syntax and macro terms.
- Description string
- The description of Secure rule. By default is empty.
- Exceptions
List<Secure
Rule Falco Exception> - The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
- Minimum
Engine doubleVersion - This is used to indicate that the rule requires a minimum engine version. This can allow you to add rules that would not normally pass validation with older agents in your environment. The rule will only be processed by agents that support the minimum_engine_version specified.
- Name string
- The name of the Secure rule. It must be unique.
- Output string
- Add additional information to each Falco notification's output. Required if append is false.
- Priority string
- The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
- Secure
Rule stringFalco Id - Source string
- The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false.
- List<string>
- A list of tags for this rule.
- Timeouts
Secure
Rule Falco Timeouts
- Append bool
- This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
- Condition string
- A Falco condition is simply a Boolean predicate on Sysdig events expressed using the Sysdig filter syntax and macro terms.
- Description string
- The description of Secure rule. By default is empty.
- Exceptions
[]Secure
Rule Falco Exception Args - The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
- Minimum
Engine float64Version - This is used to indicate that the rule requires a minimum engine version. This can allow you to add rules that would not normally pass validation with older agents in your environment. The rule will only be processed by agents that support the minimum_engine_version specified.
- Name string
- The name of the Secure rule. It must be unique.
- Output string
- Add additional information to each Falco notification's output. Required if append is false.
- Priority string
- The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
- Secure
Rule stringFalco Id - Source string
- The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false.
- []string
- A list of tags for this rule.
- Timeouts
Secure
Rule Falco Timeouts Args
- append Boolean
- This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
- condition String
- A Falco condition is simply a Boolean predicate on Sysdig events expressed using the Sysdig filter syntax and macro terms.
- description String
- The description of Secure rule. By default is empty.
- exceptions
List<Secure
Rule Falco Exception> - The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
- minimum
Engine DoubleVersion - This is used to indicate that the rule requires a minimum engine version. This can allow you to add rules that would not normally pass validation with older agents in your environment. The rule will only be processed by agents that support the minimum_engine_version specified.
- name String
- The name of the Secure rule. It must be unique.
- output String
- Add additional information to each Falco notification's output. Required if append is false.
- priority String
- The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
- secure
Rule StringFalco Id - source String
- The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false.
- List<String>
- A list of tags for this rule.
- timeouts
Secure
Rule Falco Timeouts
- append boolean
- This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
- condition string
- A Falco condition is simply a Boolean predicate on Sysdig events expressed using the Sysdig filter syntax and macro terms.
- description string
- The description of Secure rule. By default is empty.
- exceptions
Secure
Rule Falco Exception[] - The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
- minimum
Engine numberVersion - This is used to indicate that the rule requires a minimum engine version. This can allow you to add rules that would not normally pass validation with older agents in your environment. The rule will only be processed by agents that support the minimum_engine_version specified.
- name string
- The name of the Secure rule. It must be unique.
- output string
- Add additional information to each Falco notification's output. Required if append is false.
- priority string
- The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
- secure
Rule stringFalco Id - source string
- The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false.
- string[]
- A list of tags for this rule.
- timeouts
Secure
Rule Falco Timeouts
- append bool
- This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
- condition str
- A Falco condition is simply a Boolean predicate on Sysdig events expressed using the Sysdig filter syntax and macro terms.
- description str
- The description of Secure rule. By default is empty.
- exceptions
Sequence[Secure
Rule Falco Exception Args] - The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
- minimum_
engine_ floatversion - This is used to indicate that the rule requires a minimum engine version. This can allow you to add rules that would not normally pass validation with older agents in your environment. The rule will only be processed by agents that support the minimum_engine_version specified.
- name str
- The name of the Secure rule. It must be unique.
- output str
- Add additional information to each Falco notification's output. Required if append is false.
- priority str
- The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
- secure_
rule_ strfalco_ id - source str
- The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false.
- Sequence[str]
- A list of tags for this rule.
- timeouts
Secure
Rule Falco Timeouts Args
- append Boolean
- This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
- condition String
- A Falco condition is simply a Boolean predicate on Sysdig events expressed using the Sysdig filter syntax and macro terms.
- description String
- The description of Secure rule. By default is empty.
- exceptions List<Property Map>
- The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
- minimum
Engine NumberVersion - This is used to indicate that the rule requires a minimum engine version. This can allow you to add rules that would not normally pass validation with older agents in your environment. The rule will only be processed by agents that support the minimum_engine_version specified.
- name String
- The name of the Secure rule. It must be unique.
- output String
- Add additional information to each Falco notification's output. Required if append is false.
- priority String
- The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
- secure
Rule StringFalco Id - source String
- The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false.
- List<String>
- A list of tags for this rule.
- timeouts Property Map
Outputs
All input properties are implicitly available as output properties. Additionally, the SecureRuleFalco resource produces the following output properties:
Look up Existing SecureRuleFalco Resource
Get an existing SecureRuleFalco resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecureRuleFalcoState, opts?: CustomResourceOptions): SecureRuleFalco@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
append: Optional[bool] = None,
condition: Optional[str] = None,
description: Optional[str] = None,
exceptions: Optional[Sequence[SecureRuleFalcoExceptionArgs]] = None,
minimum_engine_version: Optional[float] = None,
name: Optional[str] = None,
output: Optional[str] = None,
priority: Optional[str] = None,
secure_rule_falco_id: Optional[str] = None,
source: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
timeouts: Optional[SecureRuleFalcoTimeoutsArgs] = None,
version: Optional[float] = None) -> SecureRuleFalcofunc GetSecureRuleFalco(ctx *Context, name string, id IDInput, state *SecureRuleFalcoState, opts ...ResourceOption) (*SecureRuleFalco, error)public static SecureRuleFalco Get(string name, Input<string> id, SecureRuleFalcoState? state, CustomResourceOptions? opts = null)public static SecureRuleFalco get(String name, Output<String> id, SecureRuleFalcoState state, CustomResourceOptions options)resources: _: type: sysdig:SecureRuleFalco get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Append bool
- This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
- Condition string
- A Falco condition is simply a Boolean predicate on Sysdig events expressed using the Sysdig filter syntax and macro terms.
- Description string
- The description of Secure rule. By default is empty.
- Exceptions
List<Secure
Rule Falco Exception> - The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
- Minimum
Engine doubleVersion - This is used to indicate that the rule requires a minimum engine version. This can allow you to add rules that would not normally pass validation with older agents in your environment. The rule will only be processed by agents that support the minimum_engine_version specified.
- Name string
- The name of the Secure rule. It must be unique.
- Output string
- Add additional information to each Falco notification's output. Required if append is false.
- Priority string
- The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
- Secure
Rule stringFalco Id - Source string
- The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false.
- List<string>
- A list of tags for this rule.
- Timeouts
Secure
Rule Falco Timeouts - Version double
- Current version of the resource in Sysdig Secure.
- Append bool
- This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
- Condition string
- A Falco condition is simply a Boolean predicate on Sysdig events expressed using the Sysdig filter syntax and macro terms.
- Description string
- The description of Secure rule. By default is empty.
- Exceptions
[]Secure
Rule Falco Exception Args - The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
- Minimum
Engine float64Version - This is used to indicate that the rule requires a minimum engine version. This can allow you to add rules that would not normally pass validation with older agents in your environment. The rule will only be processed by agents that support the minimum_engine_version specified.
- Name string
- The name of the Secure rule. It must be unique.
- Output string
- Add additional information to each Falco notification's output. Required if append is false.
- Priority string
- The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
- Secure
Rule stringFalco Id - Source string
- The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false.
- []string
- A list of tags for this rule.
- Timeouts
Secure
Rule Falco Timeouts Args - Version float64
- Current version of the resource in Sysdig Secure.
- append Boolean
- This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
- condition String
- A Falco condition is simply a Boolean predicate on Sysdig events expressed using the Sysdig filter syntax and macro terms.
- description String
- The description of Secure rule. By default is empty.
- exceptions
List<Secure
Rule Falco Exception> - The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
- minimum
Engine DoubleVersion - This is used to indicate that the rule requires a minimum engine version. This can allow you to add rules that would not normally pass validation with older agents in your environment. The rule will only be processed by agents that support the minimum_engine_version specified.
- name String
- The name of the Secure rule. It must be unique.
- output String
- Add additional information to each Falco notification's output. Required if append is false.
- priority String
- The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
- secure
Rule StringFalco Id - source String
- The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false.
- List<String>
- A list of tags for this rule.
- timeouts
Secure
Rule Falco Timeouts - version Double
- Current version of the resource in Sysdig Secure.
- append boolean
- This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
- condition string
- A Falco condition is simply a Boolean predicate on Sysdig events expressed using the Sysdig filter syntax and macro terms.
- description string
- The description of Secure rule. By default is empty.
- exceptions
Secure
Rule Falco Exception[] - The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
- minimum
Engine numberVersion - This is used to indicate that the rule requires a minimum engine version. This can allow you to add rules that would not normally pass validation with older agents in your environment. The rule will only be processed by agents that support the minimum_engine_version specified.
- name string
- The name of the Secure rule. It must be unique.
- output string
- Add additional information to each Falco notification's output. Required if append is false.
- priority string
- The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
- secure
Rule stringFalco Id - source string
- The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false.
- string[]
- A list of tags for this rule.
- timeouts
Secure
Rule Falco Timeouts - version number
- Current version of the resource in Sysdig Secure.
- append bool
- This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
- condition str
- A Falco condition is simply a Boolean predicate on Sysdig events expressed using the Sysdig filter syntax and macro terms.
- description str
- The description of Secure rule. By default is empty.
- exceptions
Sequence[Secure
Rule Falco Exception Args] - The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
- minimum_
engine_ floatversion - This is used to indicate that the rule requires a minimum engine version. This can allow you to add rules that would not normally pass validation with older agents in your environment. The rule will only be processed by agents that support the minimum_engine_version specified.
- name str
- The name of the Secure rule. It must be unique.
- output str
- Add additional information to each Falco notification's output. Required if append is false.
- priority str
- The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
- secure_
rule_ strfalco_ id - source str
- The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false.
- Sequence[str]
- A list of tags for this rule.
- timeouts
Secure
Rule Falco Timeouts Args - version float
- Current version of the resource in Sysdig Secure.
- append Boolean
- This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
- condition String
- A Falco condition is simply a Boolean predicate on Sysdig events expressed using the Sysdig filter syntax and macro terms.
- description String
- The description of Secure rule. By default is empty.
- exceptions List<Property Map>
- The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
- minimum
Engine NumberVersion - This is used to indicate that the rule requires a minimum engine version. This can allow you to add rules that would not normally pass validation with older agents in your environment. The rule will only be processed by agents that support the minimum_engine_version specified.
- name String
- The name of the Secure rule. It must be unique.
- output String
- Add additional information to each Falco notification's output. Required if append is false.
- priority String
- The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
- secure
Rule StringFalco Id - source String
- The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false.
- List<String>
- A list of tags for this rule.
- timeouts Property Map
- version Number
- Current version of the resource in Sysdig Secure.
Supporting Types
SecureRuleFalcoException, SecureRuleFalcoExceptionArgs
- Name string
- The name of the exception. Only used to provide a handy name, and to potentially link together values in a later rule that has
append = true. - Values string
- Contains tuples of values. Each item in the tuple should align 1-1 with the corresponding field
and comparison operator. Since the value can be a string, a list of strings or a list of a list of strings, the value
of this field must be supplied in JSON format. You can use the default
jsonencodefunction to provide this value. See the usage example on the top. - Comps List<string>
- Contains comparison operators that align 1-1 with the items in the fields property.
- Fields List<string>
- Contains one or more fields that will extract a value from the syscall/k8s_audit events.
- Name string
- The name of the exception. Only used to provide a handy name, and to potentially link together values in a later rule that has
append = true. - Values string
- Contains tuples of values. Each item in the tuple should align 1-1 with the corresponding field
and comparison operator. Since the value can be a string, a list of strings or a list of a list of strings, the value
of this field must be supplied in JSON format. You can use the default
jsonencodefunction to provide this value. See the usage example on the top. - Comps []string
- Contains comparison operators that align 1-1 with the items in the fields property.
- Fields []string
- Contains one or more fields that will extract a value from the syscall/k8s_audit events.
- name String
- The name of the exception. Only used to provide a handy name, and to potentially link together values in a later rule that has
append = true. - values String
- Contains tuples of values. Each item in the tuple should align 1-1 with the corresponding field
and comparison operator. Since the value can be a string, a list of strings or a list of a list of strings, the value
of this field must be supplied in JSON format. You can use the default
jsonencodefunction to provide this value. See the usage example on the top. - comps List<String>
- Contains comparison operators that align 1-1 with the items in the fields property.
- fields List<String>
- Contains one or more fields that will extract a value from the syscall/k8s_audit events.
- name string
- The name of the exception. Only used to provide a handy name, and to potentially link together values in a later rule that has
append = true. - values string
- Contains tuples of values. Each item in the tuple should align 1-1 with the corresponding field
and comparison operator. Since the value can be a string, a list of strings or a list of a list of strings, the value
of this field must be supplied in JSON format. You can use the default
jsonencodefunction to provide this value. See the usage example on the top. - comps string[]
- Contains comparison operators that align 1-1 with the items in the fields property.
- fields string[]
- Contains one or more fields that will extract a value from the syscall/k8s_audit events.
- name str
- The name of the exception. Only used to provide a handy name, and to potentially link together values in a later rule that has
append = true. - values str
- Contains tuples of values. Each item in the tuple should align 1-1 with the corresponding field
and comparison operator. Since the value can be a string, a list of strings or a list of a list of strings, the value
of this field must be supplied in JSON format. You can use the default
jsonencodefunction to provide this value. See the usage example on the top. - comps Sequence[str]
- Contains comparison operators that align 1-1 with the items in the fields property.
- fields Sequence[str]
- Contains one or more fields that will extract a value from the syscall/k8s_audit events.
- name String
- The name of the exception. Only used to provide a handy name, and to potentially link together values in a later rule that has
append = true. - values String
- Contains tuples of values. Each item in the tuple should align 1-1 with the corresponding field
and comparison operator. Since the value can be a string, a list of strings or a list of a list of strings, the value
of this field must be supplied in JSON format. You can use the default
jsonencodefunction to provide this value. See the usage example on the top. - comps List<String>
- Contains comparison operators that align 1-1 with the items in the fields property.
- fields List<String>
- Contains one or more fields that will extract a value from the syscall/k8s_audit events.
SecureRuleFalcoTimeouts, SecureRuleFalcoTimeoutsArgs
Import
Secure Falco runtime rules can be imported using the ID, e.g.
$ pulumi import sysdig:index/secureRuleFalco:SecureRuleFalco example 12345
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- sysdig sysdiglabs/terraform-provider-sysdig
- License
- Notes
- This Pulumi package is based on the
sysdigTerraform Provider.
sysdig 1.56.0 published on Wednesday, Apr 30, 2025 by sysdiglabs