OSS2Falco is a collection of Falco rules converted from popular open-source security tools and rulesets, making it easy to leverage existing detection logic in your Falco deployment.
| File | Source |
|---|---|
falco_rules_from_linpeas.yaml |
Rules derived from LinPEAS privilege escalation checks |
falco_rules_from_sigma.yaml |
Rules converted from the Sigma generic signature format |
falco_rules_from_splunk.yaml |
Rules adapted from Splunk detection content |
Load a ruleset alongside your existing Falco configuration:
falco -r /etc/falco/falco_rules.yaml -r falco_rules_from_sigma.yamlOr add the files to your falco.yaml:
rules_file:
- /etc/falco/falco_rules.yaml
- /path/to/falco_rules_from_sigma.yaml- Falco ≥ 0.35
Contributions welcome, new conversions, rule improvements, and bug fixes are all appreciated. Please open an issue or submit a pull request.
This project is licensed under Apache 2.0.
Note that rules derived from Sigma remain subject to the Detection Rules License (DRL).