Quick Start Security for Falco
Thank you!
We got your information.
Falco - Security Extension
Falco is the open source solution for runtime security for hosts, containers, Kubernetes and the cloud. Get real-time visibility into abnormal behaviors and potential security threats, intrusions, and data theft or compliance violations.
This extension pack is designed to alert according to Falco's severity levels (Critical, warning, error, notice and informational).
Please consult Falco documentation in order to better understand the triggered alerts:
https://falco.org/docs/rules/basic-elements/
Specific alert information will be present in the log that triggered the alert.
Coralogix Extension For Falco Includes:
Alerts - 6
Stay on top of Falco key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Error priority alert
This alert type aggregates all Falco alerts that are error in nature. Falco's error priority is triggered once there is a file writing state inside the container or k8s pod. Please refer to the rule, desc and source fields in the logs to get more information regarding the relevant alert. Impact Depends on the type of granular alert. See more details in the log itself. Mitigation Depends on the type of granular alert. See more details in the log itself.
Warning priority alert
This alert type aggregates all Falco alerts that are warning in nature. Flaco's warning priority rules are triggered once there is an unauthorized read attempt of sensitive files. Please refer to the rule, desc and source fields in the logs to get more information regarding the relevant alert. Impact Depends on the type of granular alert. See more details in the log itself. Mitigation Depends on the type of granular alert. See more details in the log itself.
Notice priority alert
This alert type aggregates all Falco alerts that are notice in nature. Falco's notice priority rule is triggered once it detects an unexpected behavior like unexpected shell spawn, etc. Please refer to the rule, desc and source fields in the logs to get more information regarding the relevant alert. Impact Depends on the type of granular alert. See more details in the log itself. Mitigation Depends on the type of granular alert. See more details in the log itself.
Informational priority alert
This alert type aggregates all Falco alerts that are informational in nature. Falco's informational priority rule is triggered once a best practice is broken like an unexpected privileged container with sensitive mounts are started. Please refer to the rule, desc and source fields in the logs to get more information regarding the relevant alert. Impact Depends on the type of granular alert. See more details in the log itself. Mitigation Depends on the type of granular alert. See more details in the log itself.
Critical priority alert
This alert type aggregates all Falco alerts that are critical in nature. Falco's critical priority is triggered once there is an container running error or a virus/malware detected in the container that can affects its functionality or there is a suspicious network activity detected. Please refer to the rule, desc and source fields in the logs to get more information regarding the relevant alert. Impact Depends on the type of granular alert. See more details in the log itself. Mitigation Depends on the type of granular alert. See more details in the log itself.
No logs from Falco
This rule detects if there are no logs in the last 12 hours for Falco in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562
Integration
Learn more about Coralogix's out-of-the-box integration with Falco in our documentation.