Falco IDS¶
About¶
Falco, the cloud-native runtime security project, is the de facto Kubernetes threat detection engine. Detects threats at runtime by observing the behavior of your applications and containers. Extends threat detection across cloud environments with Falco Plugins. Falco is the first runtime security project to join CNCF as an incubation-level project. Falco acts as a security camera detecting unexpected behavior, intrusions, and data theft in real time.
Product Details¶
Vendor URL: Falco IDS
Product Type: Intrustion Detection
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Custom
Log Guide: N/A
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90%
Data Label: FALCO_IDS
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
address.ip | target.ip |
address.nodeName | target.hostname |
address.targetRef.kind | target.resource.resource_subtype |
address.targetRef.name | target.resource.name |
address.targetRef.uid | target.resource.id |
annotations.authorization.k8s.io/reason | security_result.description |
apiVersion | metadata.product_version |
auditID | metadata.product_log_id |
containerid.containerID | target.asset.asset_id |
containerStatus.image | target.file.full_path |
containerStatuse.imageID | target.file.full_path |
description | metadata.description |
ebpf_enabled | target.resource.attribute.labels |
evt_arg_fd | target.resource.attribute.labels |
evt_arg_filename | target.resource.attribute.labels |
evt_arg_mode | target.resource.attribute.labels |
Falco | metadata.vendor_name |
Falco IDS | metadata.product_name |
fd_name | target.resource.attribute.labels |
grpname | principal.user.group_identifiers |
jsonPayload.hostname | principal.hostname |
jsonPayload.output_fields.bl-ssr | target.resource.name |
jsonPayload.output_fields.cloud-project-id | observer.cloud.project.id |
jsonPayload.output_fields.container.id | target.asset.asset_id |
jsonPayload.output_fields.container.image.repository | target.file.full_path |
jsonPayload.output_fields.email | target.user.email_addresses |
jsonPayload.output_fields.falco.contact | principal.user.email_addresses |
jsonPayload.output_fields.falco.host.ip | principal.ip |
jsonPayload.output_fields.falco.host.name | principal.hostname |
jsonPayload.output_fields.falco.pod-ip | observer.ip |
jsonPayload.output_fields.falco.pod.name | observer.hostname |
jsonPayload.output_fields.falco.ssrid | target.resource.product_object_id |
jsonPayload.output_fields.host-ip | target.ip |
jsonPayload.output_fields.host-name | target.hostname |
jsonPayload.output_fields.pod-ip | observer.ip |
jsonPayload.output_fields.pod-name | observer.hostname |
jsonPayload.output_fields.proc.cmdline | target.process.command_line |
jsonPayload.output_fields.proc.pid | target.process.pid |
jsonPayload.output_fields.user.loginuid | target.user.userid |
jsonPayload.output_fields.user.name | principal.user.user_display_name |
jsonPayload.priority | security_result.priority_details |
jsonPayload.rule | security_result.rule_name |
jsonPayload.sourceIPs | principal.ip |
jsonPayload.tags | security_result.category_details |
k8_ns_name | additional.fields |
k8s_pod_name | additional.fields |
kind | metadata.product_event_type |
logName | metadata.product_log_id |
objectRef.name | target.resource.name |
objectRef.resource | target.resource.resource_subtype |
objectRef.uid | target.user.userid |
ol-env | target.labels |
output | metadata.description |
podip.ip | target.ip |
portdetails.name | network.application_protocol |
portdetails.port | target.port |
portdetails.protocol | network.ip_protocol |
principal_ip | principal.ip |
principal_port | principal.port |
product_version | metadata.product_version |
request_constraint_label | target.resource.attribute.labels |
requestObject.metadata.uid | target.user.userid |
requestObject.status.hostIP | target.ip |
requestURI | target.url |
resource.labels.cluster_name | target.resource.name |
resource.labels.location | target.cloud.availability_zone |
resource.labels.namespace_name | target.namespace |
resource.labels.pod_name | target.hostname |
resource.labels.project_id | target.resource.id |
responseObject.metadata.uid | target.user.userid |
responseObject.spec.uid | target.user.userid |
responseObject.spec.user | target.user.user_display_name |
responseStatus.code | network.http.response_code |
severity | security_result.severity |
severity | security_result.severity_details |
stage | metadata.description |
tags | target.labels |
target | metadata.collected_timestamp |
target_ip | target.ip |
target_port | target.port |
uid | principal.user.userid |
user.groups | target.user.group_identifiers |
user.uid | principal.user.userid |
user.username | principal.user.user_display_name |
userAgent | network.http.user_agent |
verb | network.http.method |
Product Event Types¶
verb | UDM Event Classification |
---|---|
all others | STATUS_UNCATEGORIZED |
CREATE | USER_RESOURCE_CREATION |
DELETE | USER_RESOURCE_DELETION |
GET | USER_RESOURCE_ACCESS |
LIST | USER_RESOURCE_ACCESS |
PATCH | USER_RESOURCE_UPDATE_CONTENT |
UPDATE | USER_RESOURCE_UPDATE_CONTENT |
WATCH | USER_RESOURCE_ACCESS |
Log Sample¶
{"jsonPayload":{"priority":"Notice","rule":"User mgmt binaries","source":"syscall","tags":["host","mitre_persistence","users"],"hostname":"hostname1","output":"03:59:12.401062324: Notice User management binary command run outside of container (user=user_loginuid=-1 command=groupadd group pid=pid parent=process gparent=ggparent=gggparent=) k8s.ns=k8s.pod=container=host","output_fields":{"proc.pid":pid,"proc.pname":"process","user.loginuid":-1,"user.name":"","k8s.pod.name":null,"proc.aname[2]":null,"k8s.ns.name":null,"proc.aname[3]":null,"proc.aname[4]":null,"proc.cmdline":"groupadd group","container.id":"host","evt.time":1672253952401062400}},"labels":{"k8s-pod/controller-revision-hash":"hash","k8s-pod/pod-template-generation":"4","urlresource_name":"hostname1","k8s-pod/app_kubernetes_io/instance":"instancename","k8s-pod/app_kubernetes_io/name":"instancename"},"logName":"projectlogs","receiveTimestamp":"2022-12-28T18:59:40.444122688Z","resource":{"labels":{"cluster_name":"cluster","container_name":"instancename","location":"region","namespace_name":"instancename","pod_name":"podname","project_id":"project"},"type":"k8s_container"},"severity":"INFO","timestamp":"2022-12-28T18:59:12.401062324Z","insertId":"aslwo"}
Sample Parsing¶
metadata.product_log_id = "projectlogs"
metadata.event_type = "STATUS_UNCATEGORIZED"
metadata.vendor_name = "Falco"
metadata.product_name = "Falco IDS"
metadata.description = "Notice User management binary command run outside of container"
principal.hostname = "hostname1"
principal.user.user_display_name = "<NA>"
principal.asset.hostname = "hostname1"
target.hostname = "podname"
target.asset_id = "container_id:host"
target.process.pid = "pid"
target.process.command_line = "groupadd group"
target.resource.id = "project"
target.resource.name = "cluster"
target.resource.resource_type = "CLUSTER"
target.namespace = "falco"
target.cloud.availability_zone = "region"
target.asset.hostname = "podname"
target.asset.asset_id = "container_id:host"
security_result.category_details = "host"
security_result.category_details = "mitre_persistence"
security_result.category_details = "users"
security_result.rule_name = "User mgmt binaries"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "INFO"
security_result.priority_details = "Notice"
Parser Alerting¶
This product currently does not have any Parser-based Alerting.