Cloud native runtime security for Linux that detects abnormal behavior in containers and hosts in real time
- Stars9k
- Forks1k
- Open Issues62
Apache-2.0
- C++
- Go
- CMake
About Falco
Falco is a cloud native runtime security tool for Linux. It detects and alerts on abnormal behavior and potential security threats in real time, acting as a kernel monitoring and detection agent that observes events such as syscalls.
Falco evaluates the events it observes against custom rules and can enrich them with metadata from the container runtime and Kubernetes. Collected events can be analyzed off-host in SIEM or data lake systems, and out-of-the-box rules alert on malicious activity and CVE exploits.
Originally created by Sysdig, Falco is now a graduated CNCF project used in production across many organizations. It deploys on hosts and Kubernetes clusters, with a flexible rules engine for describing any host or container behavior you want to watch.
Key features
- Kernel-level event monitoring based on syscalls
- Custom rules engine for host and container behavior
- Container runtime and Kubernetes metadata enrichment
- Off-host event analysis in SIEM or data lake systems
- Out-of-the-box rules for malicious activity and CVE exploits
Details
- First released
- 2016
- Latest release
- 0.44.1
- Platforms
- Linux
- Deployment
- Self-hosted agent
- Governance
- Graduated CNCF project
- Telemetry
- Events can be sent off-host