Updated Falco Rules (markdown)

Falco-Rules.md

@@ -82,6 +82,32 @@ Here's an example:
 
 Referring to a list inserts the list items in the macro, rule, or list. Note that lists can contain other lists.
 
+### Appending to Lists
+(This feature isn't in any official Falco release yet, but it was added to the dev version as of https://github.com/draios/falco/pull/264)
+
+If you use multiple falco rules files, you might want to append new items to an existing list. To do that, define a list with the same name as an existing list, and add an `append: true` attribute to the list. Here's an example:
+
+*falco_rules.yaml*
+```
+- list: my_programs
+  items: [ls, cat, pwd]
+
+- rule: my_programs_opened_file
+  desc: track whenever a set of programs opens a file
+  condition: proc.name in (my_programs) and evt.type=open
+  output: a tracked program opened a file (user=%user.name command=%proc.cmdline file=%fd.name)
+  priority: INFO
+```
+
+*falco_rules-additional.yaml*
+```
+- list: my_programs
+  append: true
+  items: [cp]
+```
+
+If you ran falco via `falco -r falco_rules.yaml -r falco_rules-additional.yaml`, the rule `my_programs_opened_file` would trigger whenever any of `ls`, `cat`, `pwd`, or `ls` opened a file.
+
 ## Rule Priorities
 
 Every falco rule has a priority which indicates how serious a violation of the rule is. The priority will be included in the message/json output/etc. The possible set of priorities are: