Updated Falco Rules (markdown)

Falco-Rules.md

@@ -82,6 +82,28 @@ Here's an example:
 
 Referring to a list inserts the list items in the macro, rule, or list. Note that lists can contain other lists.
 
+## Rule Priorities
+
+Every falco rule has a priority which indicates how serious a violation of the rule is. The priority will be included in the message/json output/etc. The possible set of priorities are:
+
+* EMERGENCY
+* ALERT
+* CRITICAL
+* ERROR
+* WARNING
+* NOTICE
+* INFORMATIONAL
+* DEBUG
+
+The general guidelines used to assign priorities to rules are the following:
+
+* If a rule is related to a write of state (i.e. filesystem, etc.), its priority is ERROR.
+* If a rule is related to an unauthorized read of state (i.e. reading sensitive filees, etc.), its priority is WARNING.
+* If a rule is related to unexpected behavior (spawning an unexpected shell in a container, opening an unexpected network connection, etc.), its priority is NOTICE.
+* If a rule is related to behaving against good practices (unexpected privileged containers, containers with sensitive mounts, running interactive commands as root), its priority is INFO.
+
+One exception is that the rule "Run shell untrusted", which is fairly FP-prone, has a priority of DEBUG.
+
 ## Rule Tags
 
 As of 0.6.0, rules have an optional set of _tags_ that are used to categorize the ruleset into groups of related rules. Here's an example: