Detect threats in running containers

info

Falco needs to be activated for this lab.

Falco is a cloud native security tool that provides runtime security. It leverages custom rules on Linux kernel events and other data sources through plugins, enriching event data with contextual metadata to deliver real-time alerts. Falco enables the detection of abnormal behavior, potential security threats, and compliance violations.

Generate threats

For this lab we'll deploy the event-generator in a Team namespace. The event-generator is a tool designed to generate events for both syscalls and k8s audits. The tool can be used to check if Falco is working properly. It does so by performing a variety of suspects actions which trigger security events. The event-event generator implements a minimalistic framework which makes easy to implement new actions.

Add the falcosecurity charts repository:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Install the chart in the team namespace:

helm install team-labs falcosecurity/event-generator -n team-labs

See the events in the detected threats in containers dashboard

In the left menu, click on Apps and open Grafana.
Click on the Detected threads in containers dashboards
See all the generated threat events

falco-dashboard

Generate threats​

See the events in the detected threats in containers dashboard​

Generate threats

See the events in the detected threats in containers dashboard