mirror of
				https://github.com/falcosecurity/falco.git
				synced 2025-10-21 19:44:57 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			12 lines
		
	
	
		
			273 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			12 lines
		
	
	
		
			273 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
| - list: my_list
 | |
|   items: [cat]
 | |
| 
 | |
| - list: my_list
 | |
|   append: false
 | |
|   items: [not-cat]
 | |
| 
 | |
| - rule: Open From Cat
 | |
|   desc: A process named cat does an open
 | |
|   condition: evt.type=open and proc.name in (my_list)
 | |
|   output: "An open was seen (command=%proc.cmdline)"
 | |
|   priority: WARNING |