Falco#
Falco is the cloud-native runtime security project. Falco rules are a YAML DSL describing suspicious behavior at the kernel-syscall level, such as shells spawned in containers, sensitive file reads, privilege escalation, network connections to unexpected destinations.
CNCF graduated project; used in Kubernetes clusters, on Linux hosts, and inside cloud-native platforms.
The Mental Model#
Falco’s world is four simple kinds of object: events flowing in from kernel syscalls or audit logs, macros that name a reusable expression, lists that hold reusable values, and rules that fire alerts when an event matches. Everything else is composition over those four primitives.
Events, syscalls (and Kubernetes audit events, cloud-trail events) flow through Falco.
Macros, named, reusable expressions over event fields.
Lists, named sets of values (binaries, paths, ports).
Rules, expressions that classify events; if they match, an alert fires.
A Sample Rule#
- macro: container
condition: container.id != host
- macro: shell_procs
condition: proc.name in (sh, bash, zsh, dash, ash)
- list: trusted_images
items:
- "registry.internal/base"
- "ubuntu:22.04"
- rule: Shell in Container
desc: A shell was spawned in a container that should not have one
condition: >
evt.type = execve and evt.dir = <
and container
and shell_procs
and not container.image.repository in (trusted_images)
output: >
Shell spawned in container (user=%user.name shell=%proc.name
parent=%proc.pname container=%container.name image=%container.image.repository)
priority: WARNING
tags: [shell, container, mitre_execution]
A Falco rule is a YAML object with a fixed schema. The condition decides whether the rule fires; the output template formats the alert; tags map to ATT&CK; priority sets severity. Source determines whether the rule consumes syscalls, Kubernetes audit, or another plugin’s events.
rule, the human-named alert.
desc, description.
condition, a Falco condition expression. Combines syscall fields, macros, lists.
output, the alert message;
%fieldplaceholders are expanded.priority,
EMERGENCY/ALERT/CRITICAL/ERROR/WARNING/NOTICE/INFORMATIONAL/DEBUG.tags, metadata; commonly ATT&CK tactic / technique IDs.
source,
syscall(default),k8s_audit,aws_cloudtrail, custom plugin.enabled, toggle without removing.
Condition Fields#
Falco exposes hundreds of fields per source. The most-used.
Field |
Meaning |
|---|---|
|
syscall name ( |
|
|
|
|
|
full command line |
|
parent process name |
|
|
|
|
|
container context |
|
file path / socket |
|
network: server IP / port |
|
Macros and Lists#
The two reuse primitives Falco rules lean on. Macros wrap a
condition expression in a name; lists hold a set of values
for in membership tests. Together they keep individual
rules short and let one definition (e.g., “what counts as a
read event”) propagate across dozens of rules.
Macros let you compose conditions.
- macro: sensitive_path
condition: fd.name startswith "/etc/" or fd.name startswith "/root/"
- macro: read_event
condition: evt.type in (open, openat, openat2) and evt.dir = > and evt.is_open_read = true
- rule: Sensitive File Read
condition: read_event and sensitive_path and not container
output: "Read of %fd.name by %proc.name (user=%user.name)"
Lists let you pin allowlists / denylists.
- list: known_admin_users
items: [root, admin, operator]
Sources#
Beyond syscalls.
kubernetes audit, detect role escalations, hostPath usage, privilege flag changes.
aws cloudtrail, IAM policy changes, S3 bucket public ACLs, guard duty findings.
kafka / okta / github plugins, application-layer events.
Each source has its own field set.
Falco Sidekick#
Falcosidekick is the output router: takes Falco alerts and forwards to.
Slack / Teams / PagerDuty / OpsGenie.
Loki / Elasticsearch / Splunk / Sumo / Datadog.
AWS Lambda / GCP Cloud Functions for response automation.
Webhooks for anything else.
Falcoctl#
falcoctl is the package manager for Falco rules and plugins. Curated rule sets.
falco-rules, the built-in default.
falco-incubating-rules, new rules under evaluation.
Community / vendor packages for cloud-specific behaviors.
Detection Strategies#
The mental models that produce useful Falco rules. Default- allow with suspicious-activity flagging, default-deny with break-detection, ATT&CK mapping for coverage measurement, and allowlisting what’s normal in containers all play to the strengths of runtime detection.
Default-allow, baseline rules that flag suspicious activity.
Default-deny at the application layer, enforce a positive posture (ServiceAccount cannot exec into pods) elsewhere; Falco detects when expectations break.
MITRE ATT&CK mapping, tag rules with ATT&CK technique IDs; measure coverage.
Allowlist what’s normal, containers run specific binaries; lists describe the allowed set.
Tuning#
Real environments produce real false positives. Tuning patterns.
Image allowlist,
not container.image.repository in (trusted_images).Process allowlist, known maintenance scripts, package managers during build.
Container labels, exempt specific containers via Kubernetes labels (
annotations.example.com/falco-exempt=true).Time-of-day, separate rules during maintenance windows.
Architecture Notes#
Falco runs as a host agent (DaemonSet in Kubernetes).
Two drivers historically: kernel module and eBPF; modern preference is eBPF.
Plugins extend the source set.
No agent-on-pod required; Falco watches kernel events from the host.
Strengths#
The reasons Falco earned its CNCF graduation and a spot in most Kubernetes security stacks. Real-time kernel-level visibility, deep composition primitives, multiple sources beyond syscalls, and a managed ecosystem of curated rule sets all stack into a serious detection capability.
Real-time runtime detection, catches what static config can’t.
CNCF-graduated, mature, well-supported.
Composable, macros, lists, multiple sources.
Cloud-native, pairs with Kubernetes, EKS / GKE / AKS, cloud audit logs.
Weaknesses#
The flip side. Out-of-the-box noise demands tuning before production deployment; syscall tracing has measurable performance cost; eBPF needs kernel-version compatibility checks; and rule YAML at scale is verbose enough to demand the same code-review discipline as application code.
Noise out of the box, expect significant tuning.
Performance impact, syscall tracing has cost; eBPF mitigates most of it.
eBPF kernel-version dependencies, check compatibility.
YAML is verbose at scale; manage rules as code with CI / pull requests.
When (Not) to Use Falco#
Use for runtime security in Kubernetes / Linux hosts.
Use alongside an EDR for kernel-level coverage of behaviors EDRs may miss.
Use for cloud-trail / Kubernetes-audit detections without writing custom rule engines.
Don’t expect Falco to replace an EDR’s rich Windows endpoint features.
Don’t run without tuning, baseline noise levels first.
See Also#
detection.