Event Sources

Leverage multiple Event Sources to increase the power of Falco

Falco is able to consume streams of events and evaluate them against a set of security rules to detect abnormal behavior. Events are consumed through different event sources, which define the origin, nature, and format of the streamed events.

Falco natively supports the syscall event source, through which it is able to consume events coming from the Linux Kernel by instrumenting it with the drivers.

Since Falco 0.31 events can also come through the plugin system which allows adopters and contributors to extend Falco's capabilities with new events.