Skip to content


Policies allow users to specify which events to trace in which workloads. The policy scope defines which workloads this policy is limited to. The policy can define multiple rules that specify the events to trace. Policies are used both for the Tracee CLI and for the Tracee Kubernetes installaction. This makes it easier to share policies across use cases and environments.

It is possible to load up to 64 policies into Tracee.

Here is an example policy:

kind: Policy
    name: overview-policy
        description: sample overview policy
      - global
      - event: dropped_executable
      - event: security_file_open
        - args.pathname=/tmp/*

This policy applies to any workload (global) and will log the dropped_executable, and security_file_open events. An argument filter (args.pathname) is set on the security_file_open event to log only files which were opened from the /tmp directory.


Note that currently each event type can only be defined once in a policy

There are many ways to fine tune the scope and filters. For further information on the details, have a look at the respective sections:

While specifying event filters is optional, policies must have the name, description, scope and rules fields.