What is Falco? Open source runtime threat detection

Falco definition

Falco is a cloud-native open source threat detection engine used by thousands of companies worldwide to help identify security threats, potential compliance violations, and suspicious or anomalous activity.

Falco was created in 2016 by Sysdig and donated to the Cloud Native Computing Foundation (CNCF) in 2017. It became a CNCF graduated project in 2024.

The popular open source cloud security tool can help you:

• Monitor events coming from Linux kernel events, such as system calls.
• Monitor Kubernetes audit logs with event source and data enrichment. 
• Monitor cloud events through APIs and Falco plugins.

Organizations can use the default threat detection rules in Falco or implement ones created by the open source community. Organizations can customize existing rules to work with their unique threat model, and also use the Falco Feeds ruleset provided by Sysdig’s Threat Research Team.

Users can extend Falco further by installing several of its available add-ons, including Falcosidekick, Falco plugins, Falco Talon, and Falcoctl.

This article will help you understand Falco and its different components, so you can begin using it (follow this installation guide).

Then, you can begin reaping the benefits of improved runtime security.

Benefits of runtime security

Due to the dynamic and short-lived nature of some workloads in a Kubernetes environment, static scanning and other traditional security measures are insufficient.

As Kubernetes is a complex, dynamic system, it is challenging to stay on top of potential security risks. Runtime security, or the ability to monitor behavior in real time, is required to quickly identify and address security issues.

Runtime security is critical for a number of reasons:

• For starters, it aids in the prevention of malicious activities such as container breakouts, privilege escalation, and network attacks.
• Second, it aids in the enforcement of regulations such as HIPAA and PCI DSS.
• Finally, runtime security adds an extra layer of defense against vulnerabilities and exploits that static analysis or vulnerability scanners may miss, such as zero days.

Runtime security is a significant step for modern organizations because it can protect applications and workloads from unauthorized access, malicious or unintentional changes, and suspicious behavior that could indicate an attack.

Benefits of Falco

Alongside enabling runtime security, Falco provides visibility into dynamic cloud workloads, which have often been a black box for security teams. They can be difficult to monitor and it’s hard to secure something if you can’t see what it’s doing.

With Falco, you get deep visibility into container and host activity at runtime, such as suspicious or anomalous behavior, while also getting the much-needed context around each event.

Falco also makes use of plugins to expand its capabilities, providing visibility into key components such as Docker containers and Kubernetes audit logs.

You can connect Falco to third-party services, such as messaging apps, logging and monitoring tools, and more with Falcosidekick. 

Then, Falcoctl adds management capabilities for Falco rule lifecycle and artifacts. Lastly, Falco Talon provides a no-code threat management solution so even more users can implement Falco.

Falco use cases

Falco’s primary use case is in aiding organizations in detecting security threats to cloud workloads. But, in reality, you can use Falco for more than that, including:

• Complying with industry regulations: To maintain compliance, organizations often need to implement runtime detection to help reduce risk and ensure issues are swiftly remediated. For example, Falco can monitor containers for privilege escalation to help support SOC 2 compliance. Falco also has predefined rules based on security best practices and compliance with PCI DSS and other regulations.
• Aligning security monitoring with MITRE ATT&CK: The security framework outlines common threat actor tactics, techniques, and procedures (TTPs). Falco has predefined rules designed to align with MITRE ATT&CK knowledge base.

How does Falco work?

Falco monitors system calls (the low-level interface between the kernel, user applications, and the hardware) and checks them against a set of rules to determine if any activity should be flagged as suspicious. With Falco plugins, you can extend its functionality to analyze logs from services, such as Kubernetes.

The system rules tell Falco how to interpret the data that it collects from the syscalls so that it triggers an alert when there is something unusual happening on your system (i.e., when it finds an activity that violates the rules).

Falco works with various elements (such as rules, alerts, and plugins) as well as external components like Falcosidekick. Falco's rules are highly extensible, so you can customize them to meet your specific needs.

Falco rules and alerts explained

If something doesn't match up with expected behavior, Falco triggers an alert so that you can take appropriate action. Falco rules and alerts are the key components of Falco's runtime security architecture. Rules define the conditions under which an alert will be generated when Falco detects a rule violation.

Let's break this down a bit further:

What are Falco rules?

Falco rules provide the guidance for when Falco should generate an alert based on an event, whether caused by suspicious behavior, security threats, or compliance violations.

You can create overriding rules and add exceptions to rules as a way to further customize how Falco works for your unique environment. If Falco would normally generate an alert if a program writes to a binary directory, an exception could be made for specific programs.

What are Falco alerts?

When a monitored event matches the condition defined in a Falco rule, the open source tool generates an alert. Natively, Falco sends alerts through generic output channels, such as stdout, files, and syslog.

Through Falcosidekick integrations, Falco alerts can be sent to your preferred application, such as Slack, Teams, PagerDuty, Datadog, AWS CloudWatchLogs, and more.

What are Falco plugins?

Falco plugins can be used to extend Falco’s functionality. Plugins enable Falco to evaluate additional event sources, define new fields to extract data from, and parse information from all the events captured.

Some example Falco plugins available enable the monitoring of:

• Okta log events.
• DNS collector events.
• GCP audit logs.
• Syslog server events.
• Kubernetes audit logs.

Your organization can also write its own Falco plugins to meet specific security needs, making it a versatile and powerful tool for securing cloud workloads.

What is Falco Talon?

On its own, Falco monitors events for suspicious runtime behavior and generating alerts for security teams. To react to events in Kubernetes, one option is to install Falco Talon.

Falco Talon is am external response engine designed to react to events detected by Falco. Actions that Talon can take include terminate, delete, log, and apply network policies.

The no-code response engine was created by Falco maintainer Thomas Labarussias. It came about as a solution to quickly react to detect threats and take some burden off security teams already buried in alerts. Talon is not yet an official component of Falco and is maintained separately.

What is Falcoctl?

Lastly, Falcoctl is a command-line interface (CLI) for artifact management of Falco and its ecosystem components.

It was developed out of a desire for easier management of the lifecycle of rules from their installation to updates. Falcotl manages rules and plugins distributed as OCI artifacts through configurable indexes.

Falcoctl can be used to install specific rulesets and automatically have the related plugins needed for that ruleset be installed as well.

What are Falco Feeds?

Falco is a solid open source threat detection tool, but it isn’t without its challenges. Two common issues are rules falling behind evolving attack techniques and excessive alert noise.

One option is to adopt Falco Feeds, which are curated detection rules created by Sysdig’s Threat Research Team. Falco Feeds provide support for organizations running Falco at scale.

With Falco Feeds, organizations get continuous updates to rules that are tested to reduce false-positive alerts, mapped to common security frameworks like MITRE ATT&CK, and includes guidance for complex cloud environments.

Falco Feeds enables organizations to continue using their open source tools while improving the experience with managed threat detection rules.

Use Falco and Stratoshark together

For organizations and users who prefer open source security tools, they can use Falco together with Stratoshark. Stratoshark is built on Wireshark and analyzes runtime telemetry, such as syscalls and events to troubleshoot, monitor, and secure cloud workloads.

Users can get a unified workflow between the two open source tools where Falco provides threat detection and Stratoshark enables faster incident investigations.

Falco can automatically generate a system capture (SCAP) file that you can replay or examine in Stratoshark. Users get the context around the alert and can respond much quicker.

Click here to learn more about Stratoshark and Wireshark.

Extend Falco with Sysdig Secure

To further your use of Falco, consider implementing Sysdig Secure to extend beyond just threat detection. By pairing Falco with Sysdig Secure, organizations get insights into attack behavior as well as response capabilities.

Organizations get to continue using open source tools while getting security that scales with their cloud infrastructure and spend less time managing rules and tuning for alert noise.