In this episode, Henrik Rexed @HenrikRexed will help you improve your cloud-native security, especially in detecting suspicious activities within your Kubernetes (K8s) runtime. Falco detects suspicious activity through kernel events, from unauthorized process executions to API misuse. We’ll walk through Falco's predefined and customizable rules and how to extend them using FalcoSidekick to send alerts to systems like Slack, Dynatrace, or even trigger workflows with Talon.

🚀 What you'll learn in this episode:
- Why runtime security is crucial for K8s environments
- A breakdown of common suspicious events to monitor in your Kubernetes cluster
- Introduction to Falco and how it leverages eBPF for real-time threat detection
- The syntax and structure of Falco rules to tailor your security needs
- How FalcoSidekick can streamline event reporting and integrate with your observability tools

🚀 Topics covered:
- Falco overview and architecture
- Detecting malicious container activity (like privilege escalation and traffic sniffing)
- How to build and customize Falco rules
- Sending Falco logs to various backends using FalcoSidekick
- Observing Falco’s health and performance metrics

-----------------------------

📖 Chapters 📖

00:00 Introduction to the video
05:22 Overview of Falco and its architecture
08:56 Introduction to the Falco rules
12:38 What is FalcoSidekick and how to use it
15:08 Observing Falco's health and performance
18:40 Conclusion and takeaways

-----------------------------

🔗 Additional Links

GitHub tutorial
Falco
Falco default rule
Falco Supported fields
Falco Sidekick
Blog

-----------------------------

Subscribe to our YT channel 
Stay up-to-date with Dynatrace! Follow us on Facebook, Instagram, LinkedIn, Twitter, Twitch