diff --git a/falco/rules.d/Readme.txt b/falco/rules.d/Readme.txt
new file mode 100644
index 0000000..4bf3872
--- /dev/null
+++ b/falco/rules.d/Readme.txt
@@ -0,0 +1,3 @@
+Threat Hunting config for Falco
+
+* created a network logger (process, privileged or not, egress IP) - can be used on internal systems (select internal networks can be excluded)
\ No newline at end of file