Skip to content

Falco IDS

Falco IDS Logo

About

Falco, the cloud-native runtime security project, is the de facto Kubernetes threat detection engine. Detects threats at runtime by observing the behavior of your applications and containers. Extends threat detection across cloud environments with Falco Plugins. Falco is the first runtime security project to join CNCF as an incubation-level project. Falco acts as a security camera detecting unexpected behavior, intrusions, and data theft in real time.

Product Details

Vendor URL: Falco IDS

Product Type: Intrustion Detection

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Custom

Log Guide: N/A

Parser Details

Log Format: JSON

Expected Normalization Rate: 90%

Data Label: FALCO_IDS

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
address.ip target.ip
address.nodeName target.hostname
address.targetRef.kind target.resource.resource_subtype
address.targetRef.name target.resource.name
address.targetRef.uid target.resource.id
annotations.authorization.k8s.io/reason security_result.description
apiVersion metadata.product_version
auditID metadata.product_log_id
containerid.containerID target.asset.asset_id
containerStatus.image target.file.full_path
containerStatuse.imageID target.file.full_path
description metadata.description
ebpf_enabled target.resource.attribute.labels
evt_arg_fd target.resource.attribute.labels
evt_arg_filename target.resource.attribute.labels
evt_arg_mode target.resource.attribute.labels
Falco metadata.vendor_name
Falco IDS metadata.product_name
fd_name target.resource.attribute.labels
grpname principal.user.group_identifiers
jsonPayload.hostname principal.hostname
jsonPayload.output_fields.bl-ssr target.resource.name
jsonPayload.output_fields.cloud-project-id observer.cloud.project.id
jsonPayload.output_fields.container.id target.asset.asset_id
jsonPayload.output_fields.container.image.repository target.file.full_path
jsonPayload.output_fields.email target.user.email_addresses
jsonPayload.output_fields.falco.contact principal.user.email_addresses
jsonPayload.output_fields.falco.host.ip principal.ip
jsonPayload.output_fields.falco.host.name principal.hostname
jsonPayload.output_fields.falco.pod-ip observer.ip
jsonPayload.output_fields.falco.pod.name observer.hostname
jsonPayload.output_fields.falco.ssrid target.resource.product_object_id
jsonPayload.output_fields.host-ip target.ip
jsonPayload.output_fields.host-name target.hostname
jsonPayload.output_fields.pod-ip observer.ip
jsonPayload.output_fields.pod-name observer.hostname
jsonPayload.output_fields.proc.cmdline target.process.command_line
jsonPayload.output_fields.proc.pid target.process.pid
jsonPayload.output_fields.user.loginuid target.user.userid
jsonPayload.output_fields.user.name principal.user.user_display_name
jsonPayload.priority security_result.priority_details
jsonPayload.rule security_result.rule_name
jsonPayload.sourceIPs principal.ip
jsonPayload.tags security_result.category_details
k8_ns_name additional.fields
k8s_pod_name additional.fields
kind metadata.product_event_type
logName metadata.product_log_id
objectRef.name target.resource.name
objectRef.resource target.resource.resource_subtype
objectRef.uid target.user.userid
ol-env target.labels
output metadata.description
podip.ip target.ip
portdetails.name network.application_protocol
portdetails.port target.port
portdetails.protocol network.ip_protocol
principal_ip principal.ip
principal_port principal.port
product_version metadata.product_version
request_constraint_label target.resource.attribute.labels
requestObject.metadata.uid target.user.userid
requestObject.status.hostIP target.ip
requestURI target.url
resource.labels.cluster_name target.resource.name
resource.labels.location target.cloud.availability_zone
resource.labels.namespace_name target.namespace
resource.labels.pod_name target.hostname
resource.labels.project_id target.resource.id
responseObject.metadata.uid target.user.userid
responseObject.spec.uid target.user.userid
responseObject.spec.user target.user.user_display_name
responseStatus.code network.http.response_code
severity security_result.severity
severity security_result.severity_details
stage metadata.description
tags target.labels
target metadata.collected_timestamp
target_ip target.ip
target_port target.port
uid principal.user.userid
user.groups target.user.group_identifiers
user.uid principal.user.userid
user.username principal.user.user_display_name
userAgent network.http.user_agent
verb network.http.method

Product Event Types

verb UDM Event Classification
all others STATUS_UNCATEGORIZED
CREATE USER_RESOURCE_CREATION
DELETE USER_RESOURCE_DELETION
GET USER_RESOURCE_ACCESS
LIST USER_RESOURCE_ACCESS
PATCH USER_RESOURCE_UPDATE_CONTENT
UPDATE USER_RESOURCE_UPDATE_CONTENT
WATCH USER_RESOURCE_ACCESS

Log Sample

{"jsonPayload":{"priority":"Notice","rule":"User mgmt binaries","source":"syscall","tags":["host","mitre_persistence","users"],"hostname":"hostname1","output":"03:59:12.401062324: Notice User management binary command run outside of container (user=user_loginuid=-1 command=groupadd group pid=pid parent=process gparent=ggparent=gggparent=) k8s.ns=k8s.pod=container=host","output_fields":{"proc.pid":pid,"proc.pname":"process","user.loginuid":-1,"user.name":"","k8s.pod.name":null,"proc.aname[2]":null,"k8s.ns.name":null,"proc.aname[3]":null,"proc.aname[4]":null,"proc.cmdline":"groupadd group","container.id":"host","evt.time":1672253952401062400}},"labels":{"k8s-pod/controller-revision-hash":"hash","k8s-pod/pod-template-generation":"4","urlresource_name":"hostname1","k8s-pod/app_kubernetes_io/instance":"instancename","k8s-pod/app_kubernetes_io/name":"instancename"},"logName":"projectlogs","receiveTimestamp":"2022-12-28T18:59:40.444122688Z","resource":{"labels":{"cluster_name":"cluster","container_name":"instancename","location":"region","namespace_name":"instancename","pod_name":"podname","project_id":"project"},"type":"k8s_container"},"severity":"INFO","timestamp":"2022-12-28T18:59:12.401062324Z","insertId":"aslwo"}

Sample Parsing

metadata.product_log_id = "projectlogs"
metadata.event_type = "STATUS_UNCATEGORIZED"
metadata.vendor_name = "Falco"
metadata.product_name = "Falco IDS"
metadata.description = "Notice User management binary command run outside of container"
principal.hostname = "hostname1"
principal.user.user_display_name = "<NA>"
principal.asset.hostname = "hostname1"
target.hostname = "podname"
target.asset_id = "container_id:host"
target.process.pid = "pid"
target.process.command_line = "groupadd group"
target.resource.id = "project"
target.resource.name = "cluster"
target.resource.resource_type = "CLUSTER"
target.namespace = "falco"
target.cloud.availability_zone = "region"
target.asset.hostname = "podname"
target.asset.asset_id = "container_id:host"
security_result.category_details = "host"
security_result.category_details = "mitre_persistence"
security_result.category_details = "users"
security_result.rule_name = "User mgmt binaries"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "INFO"
security_result.priority_details = "Notice"

Parser Alerting

This product currently does not have any Parser-based Alerting.