Falco is able to consume streams of events and evaluate them against a set of security rules to detect abnormal behavior. Events are consumed through different event sources, which define the origin, nature, and format of the streamed events.
Falco natively supports the
syscall event source, through which it is able to consume events coming from the Linux Kernel by instrumenting it with the drivers.
Enabling Event Sources
Control the input of Falco enabling and disabling Event Sources
Events related to the Kernel tells us most of what happens above.
Events related to the Plugin system.
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.