You are viewing documentation for Falco version: v0.33.1

Falco v0.33.1 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Event Sources

Last modified December 2, 2022
Leverage multiple Event Sources to increase the power of Falco

Falco is able to consume streams of events and evaluate them against a set of security rules to detect abnormal behavior. Events are consumed through different event sources, which define the origin, nature, and format of the streamed events.

Falco natively supports the syscall event source, through which it is able to consume events coming from the Linux Kernel by instrumenting it with the drivers.

Since Falco 0.31 and the introduction of the Plugin System, additional event sources can serve as input for Falco. Those event sources are provided by plugins implementing the event sourcing capability.

Examples of event source defined by offically-supported plugins are:

In addition to these plugins hosted by the Falcosecurity organization, others have written third-party plugins that support additional event sources. Please refer to the official Plugin Registry for the most up-to-date information regarding the Falco plugins acknowledged by the community.

Enabling Event Sources

Control the input of Falco enabling and disabling Event Sources

Kernel Events

Events related to the Kernel tells us most of what happens above.

CloudTrail Events

Detect undesired actions in your AWS environment

Kubernetes Audit Events

Kubernetes Audit Events will give you a deeper visibility of your environment

Okta Events

Keep an eye on your activity within this famous authentication service

Actions For Dropped System Call Events

Let Falco say basta when your system reaches its limit

Generating sample events

Test your Falco deployment by generating sample events under controlled circumstances