content/en/docs/_index.md
Falco is a cloud native security tool that provides runtime security across hosts, containers, Kubernetes, and cloud environments. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.
At its core, Falco is a monitoring and detection agent that observes events (such as Linux kernel events and other data sources through plugins) and delivers real-time alerts based on custom rules. Falco also enhances these events by integrating contextual metadata from container runtimes and Kubernetes. The generated alert events can be forwarded to other components to take action or be analyzed in SIEM or data lake systems for further investigation.
Falco, originally created by Sysdig, is now a graduate Cloud Native Computing Foundation (CNCF) project used in production by various organisations.
Falco uses syscalls to monitor a system's activity, by:
For more information, see Falco Rules.
Falco's monitoring capabilities are not limited to syscalls as it can be extended via plugins to ingest data from many more types of sources.
Falco ships with a default set of rules that check the kernel for unusual behavior such as:
setns/etc, /usr/bin, /usr/sbin, etcexecvesh, bash, csh, zsh, etcssh, scp, sftp, etccoreutils executablesshadowutil or passwd executables such as shadowconfig, pwck, chpasswd, getpasswd, change, useradd, etc, and others.Rules are the conditions under which an alert should be generated. A rule is accompanied by a descriptive output string sent with the alert. They are defined using YAML files and loaded by the Falco configuration file. For more information about writing, managing, and deploying rules, see Falco Rules.
Alerts are configurable downstream actions that can be as simple as logging to stdout or as complex as delivering an HTTP request to an endpoint. For more information about configuring, understanding, and developing alerts, see Falco Outputs. Falco can send alerts to:
Falco is composed of several main components:
Userspace program - is the CLI tool falco that you can use to interact with Falco. The userspace program handles signals, parses information from a Falco driver, and sends alerts.
Configuration - defines how Falco is run, what rules to assert, and how to perform alerts. For more information, see Configuration.
Driver - is a software that adheres to the Falco driver specification and sends a stream of kernel events. Currently, Falco supports the following drivers:
For more information, see Falco Event Sources.
Plugins - allow to extend the functionality of Falco by adding new event sources and new fields that can extract information from events. For more information, see Plugins.
Falcoctl - allows to easily install rules and plugins and perform administrative tasks with Falco. It is bundled together with Falco.
Apart from the Falco core projects, the Falco organization also maintains and distributes ecosystem projects that help adopters get the most out of Falco. To learn more, visit the Falco Evolution repositories list. For example, the falcosidekick project makes it easier to output Falco events to many applications and channels, falcoctl makes it easier to perform a number of administrative tasks for Falco, including installing and updating rules and plugins.