Skip to main content
πŸŽ“ Claude Code Masterclass Learn AI-assisted development on Udemy β€” plus the companion book on Leanpub & Amazon. Start Learning
Falco: Runtime Threat Detection for Kubernetes
Platform Engineering

Falco: Runtime Threat Detection for Kubernetes

Detect anomalous behavior in containers with Falco β€” syscall monitoring, custom rules, alerting to Slack/PagerDuty, and MITRE ATT&CK mapping.

LB
Luca Berton
Β· 1 min read

What Is Falco?

Falco detects unexpected behavior in running containers by monitoring Linux syscalls. Think of it as an intrusion detection system (IDS) for Kubernetes. CNCF Graduated, 7K+ stars.

What Falco Detects

  • Shell spawned inside container
  • Sensitive file read (/etc/shadow, /etc/passwd)
  • Unexpected network connections
  • Binary executed from /tmp
  • Privilege escalation attempts
  • Container escape techniques
  • Cryptominer signatures

Installation

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \
  --namespace falco --create-namespace \
  --set driver.kind=modern_ebpf \
  --set falcosidekick.enabled=true \
  --set falcosidekick.config.slack.webhookurl="https://hooks.slack.com/..."

Default Rules (Out of the Box)

Falco ships with 100+ rules covering common threats:

# Shell in container
- rule: Terminal shell in container
  desc: A shell was spawned in a container
  condition: >
    spawned_process and container and shell_procs
    and not known_shell_spawn_containers
  output: >
    Shell spawned in container
    (container=%container.name shell=%proc.name parent=%proc.pname
     user=%user.name evt_type=%evt.type)
  priority: WARNING
  tags: [container, shell, mitre_execution]

Custom Rules

# Detect crypto mining
- rule: Detect crypto miners
  desc: Detected a process with crypto mining indicators
  condition: >
    spawned_process and container and
    (proc.name in (xmrig, minerd, cpuminer) or
     proc.cmdline contains "stratum+tcp" or
     proc.cmdline contains "pool.minergate")
  output: >
    Crypto miner detected (container=%container.name cmd=%proc.cmdline)
  priority: CRITICAL
  tags: [cryptomining, mitre_resource_hijacking]

# Detect kubectl exec
- rule: Kubectl exec to pod
  desc: Someone ran kubectl exec into a production pod
  condition: >
    spawned_process and container and
    k8s.ns.name = "production" and
    proc.pname = "runc"
  output: >
    Exec into production pod (pod=%k8s.pod.name ns=%k8s.ns.name user=%ka.user.name)
  priority: WARNING
  tags: [k8s, exec, mitre_execution]

MITRE ATT&CK Mapping

TechniqueFalco Rule
T1059 (Command Scripting)Terminal shell in container
T1003 (Credential Dumping)Read /etc/shadow
T1048 (Exfiltration)Unexpected outbound connection
T1611 (Container Escape)nsenter or mount namespace
T1496 (Resource Hijacking)Crypto miner detection
T1071 (Application Layer Protocol)DNS tunneling

Alert Pipeline

Syscall β†’ Falco Engine β†’ Rule Match β†’ Falcosidekick β†’ Destinations
                                                        β”œβ”€β”€ Slack
                                                        β”œβ”€β”€ PagerDuty
                                                        β”œβ”€β”€ Elasticsearch
                                                        β”œβ”€β”€ AWS SecurityHub
                                                        β”œβ”€β”€ Prometheus
                                                        └── OPA (auto-kill pod)

Response Automation

# Falcosidekick + Kubernetes Response Engine
# Auto-kill pod on critical alert
apiVersion: v1
kind: ConfigMap
metadata:
  name: falcosidekick-config
data:
  config.yaml: |
    kubernetesPolicyReport:
      enabled: true
    # Kill pod on critical
    outputs:
      - type: kubernetesPod
        config:
          action: delete
          minimumPriority: critical

Performance Impact

DriverCPU OverheadKernel Version
modern_ebpfunder 1%5.8+
kmod (legacy)2-5%Any
Plugin (cloud)0% (no syscalls)N/A

Modern eBPF driver adds negligible overhead β€” production-safe.

Related Articles

Backstage: Build an Internal Developer Portal on Kubernetes
Platform Engineering

Backstage: Build an Internal Developer Portal on Kubernetes

Deploy Spotify's Backstage on Kubernetes β€” service catalog, software templates, TechDocs, and plugin ecosystem for platform engineering.

Cilium and eBPF: Next-Generation Kubernetes Networking and Security
Platform Engineering

Cilium and eBPF: Next-Generation Kubernetes Networking and Security

Replace kube-proxy with Cilium β€” eBPF-powered networking, transparent encryption, network policies, and service mesh without sidecars.

CRI-O vs containerd: Kubernetes Container Runtime Guide
Platform Engineering

CRI-O vs containerd: Kubernetes Container Runtime Guide

CRI-O vs containerd β€” architecture differences, performance benchmarks, security posture, OCI compliance, and which runtime to choose for production Kubernetes.

Crossplane: Manage Cloud Infrastructure from Kubernetes
Platform Engineering

Crossplane: Manage Cloud Infrastructure from Kubernetes

Use Crossplane to provision AWS, Azure, and GCP resources with Kubernetes manifests. The universal cloud control plane.

All Articles

Free 30-min AI & Cloud consultation

Book Now