Glossary

This glossary is intended to be a comprehensive, standardized list of Falco terminology. It includes technical terms that are specific to Falco, as well as more general terms that provide useful context.

Filter terms according to their tags

The inner components of Falco.
Related to Falco open source development.
Source of events for Falco.
Supported customizations of Falco.
Relevant for a first-time user of Falco.
Terms related to Falco integration capabilities to consume logs and send alerts.
Useful security concepts to understand how Falco works.
Software that makes Falco easier or better to use.
Architecture Community Event Source Extension Fundamental Integration Security Concept Tool Select all Deselect all

Click on the [+] indicators below to get a longer explanation for any particular term.

  • Abnormal behavior

    The behavior of an application, container, or other component considered to be suspicious.

  • Alerts

    Downstream actions executed after a rule is triggered.

    [+]

    They can be as simple as logging to stdout or as complex as delivering a gRPC call to a client.

    Falco supports sending alerts to:

    • Standard Output
    • A file
    • Syslog
    • A spawned program
    • An HTTP[s] endpoint
    • A client through the gRPC API
  • Conditions

    Criteria to trigger an alert.

    [+]

    A key part of a rule is the condition field. A condition is a Boolean predicate expressed using the condition syntax. It is possible to express conditions on all supported events using their respective supported fields.

  • Data Enrichment

    With the libsinsp Falco can enrich the events with metadata from the container engine and/or the Kubernetes control plane.

  • Detection

    Identify a suspicious event or behavior.

  • Drivers

    The global term for the software that sends events from the kernel.

    [+]

    Examples include eBPF probe or the kernel module.

  • eBPF

    eBPF is a technology to collect metrics and events from the kernel in a secure way.

    [+]

    eBPF is a technology that can run sandboxed programs in a privileged context, such as the operating system kernel. It is used to extend the kernel's capabilities at runtime without requiring to change kernel source code or load kernel modules. It is considered safer than kernel modules since it cannot crash your system.

    Ref: https://ebpf.io

  • eBPF Probe

    The eBPF probe collects syscall events from the kernel, as the kernel module does.

  • Event Generator

    Generate a variety of suspect actions that are detected by Falco rulesets.

  • Exceptions

    Exceptions are cases where the behavior detected by the rule should be allowed.

  • Extractor Plugins

    An extractor plugin focuses only on field extraction from events.

    [+]

    The events can be generated by other plugins or by the core libraries. It does not provide an event source but can extract fields from other event sources.

  • Falco

    The name of the project and the main engine on which the rest of the project is built.

    [+]

    Falco is a cloud native runtime security tool for Linux operating systems. It is designed to detect and provide real-time alerts about abnormal behaviors and potential security threats.

    At its core, Falco is a kernel monitoring and detection agent that observes events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.

    Ref: https://github.com/falcosecurity/falco

  • Falco Exporter

    Prometheus Metrics Exporter for Falco output events.

  • Falcoctl

    The official CLI tool for working with Falco and its ecosystem components.

    [+]
  • Falcosdidekick-UI

    A simple WebUI for displaying the latest events from Falco, it works as an output for Falcosidekick.

    [+]
  • Falcosidekick

    Connect Falco with third parties.

    [+]

    A simple daemon for connecting Falco to an ecosystem, it takes the events and forwards them to different outputs in a fan-out way.

    Ref: https://github.com/falcosecurity/falcosidekick

  • Fields

    The fields are used in the condition of a rule and in the output.

    [+]

    The fields are automatically replaced by their values in the output to have the whole context of the alerts.

  • gRPC

    gRPC is a modern open source, high-performance Remote Procedure Call (RPC) framework that can run in any environment.

    [+]

    It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking, and authentication. It also applies in the last mile of distributed computing to connect devices, mobile applications, and browsers to backend services.

    Ref: https://grpc.io

  • Intrusion

    Unsolicited presence in a system.

  • Kernel

    The kernel is the operating system's core and generally has complete control over everything in the system.

    [+]
  • Kernel Module

    Used to describe the .ko object that would be loaded into the kernel as a potentially risky kernel module.

    [+]

    This is one option used to pass kernel events up to userspace for Falco to consume. Sometimes this word is incorrectly used to refer to a probe.

  • Kernel Module Driver

    The Kernel module collects syscalls events from the kernel, as the eBPF Probe does.

  • Kernel Space

    The memory space where the kernel executes and provides its services.

  • Kubernetes Audit Log

    Audit logs from the Kubernetes control plane.

    [+]

    Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster.

  • Libscap

    libscap, aka library for System CAPture, is the library used by Falco to collect the events from the ring buffer before forwarding them up to libsinsp.

    [+]
  • Libsinsp

    libsinsp, aka library for System INSPection, receives the events from libscap and enriches them with machine states.

    [+]
  • Lists

    Lists are collections of items that can be included in rules, macros, or other lists.

    [+]

    Unlike rules and macros, lists cannot be parsed as filtering expressions.

  • Macros

    Macros are rule conditions snippets that can be re-used inside rules and even other macros.

    [+]

    Macros provide a way to name common patterns and factor out redundancies in rules.

  • Modern eBPF Probe

    More robust eBPF probe, which brings the CO-RE paradigm, better performances, and maintainability.

    [+]

    It will replace the default eBPF probe in the future.

  • Monitoring

    Observing the evolution of a process over time.

  • Outputs

    Format of the generated alert, the fields used as keys are automatically replaced with their values.

  • Plugins

    A dynamic shared library (a .so file) that conforms to a documented API and allows to extend the possible inputs for Falco.

    [+]
  • Priorities

    Every Falco rule has a priority that indicates how serious a violation of the rule is.

    [+]

    This is similar to what we know as the severity of a syslog message. The priority is included in the message/JSON output/etc.

  • Probes

    Used to describe the .o object that would be dynamically loaded into the kernel as a secure and stable eBPF probe.

    [+]

    This is one option used to pass kernel events up to userspace for Falco to consume. Sometimes this word is incorrectly used to refer to a module.

  • Reaction

    Action to remediate an incident.

    [+]

    Action following the detection, for example, deleting a compromised container.

  • Response Engine

    System of reaction to alerts built on dedicated applications, FaaS or Serverless.

  • Ring Buffer

    The ring buffer is a memory buffer that behaves as if it had a circular shape, used for FIFO (first in, first out).

    [+]

    It uses to pass the events from the driver (kernel space) to the library libscap (user space)

  • Rules

    Rules are conditions under which an alert should be generated.

    [+]

    A rule is accompanied by a descriptive output string that is sent with the alert.

  • Rules file

    A Falco rules file is a YAML file containing three types of elements: rules, macros, and lists.

  • Runtime Security

    Runtime security is the process of providing protection for your host, containers, and applications while they’re running.

  • Source Plugins

    A source plugin provides a new event source.

    [+]

    It has the ability to "open" and "close" a session that provides events. A source plugin can also be an extractor.

  • Syscalls

    Syscalls stands for system calls, a way to request a service from the running kernel.

    [+]

    Syscalls are used by the applications to make requests from user space to the Linux kernel to access the resources (CPU, memory, disk, network, etc.).

    Ref: https://man7.org/linux/man-pages/man2/syscalls.2.html

  • Tags

    Labels that can be attached to the rules, allow to select the subset of rules to enable.

  • Tracing

    Following the path of a request through several components and/or applications.

  • User Space

    The memory space where all user actions and applications are executed.