Monitor Kubernetes Events With Falco For Free

Published in
6 min readFeb 24, 2022


Photo by Julian Hochgesang on Unsplash

Kubernetes is now the platform of choice for many companies to manage their applications both on-premises and in the cloud. Its emergence a few years ago drastically changed the way we work. The flexibility of this platform has allowed us to increase the productivity of the engineering teams, thus requiring new working methods more adapted to this dynamic environment.

Kubernetes requested an adaptation of the security control processes to ensure the continuity of the reliability of this system. Falco is a tool that fits into this ecosystem.

What Is Falco?

Falco is an open source tool, created by Sysdig, to continuously detect risks and threats on Kubernetes platforms, containers, on-premise systems and even Cloud activity. Falco can be seen as an agent deployed on each node (master and worker) to observe and alert in real time unexpected behaviors such as configuration changes, intrusions or data theft.

Falco is now supported by the Cloud Native Computing Foundation (CNCF) and a huge community that continues to improve and maintain the project.

Falco is mainly used by security engineers (CISO, SRE, Security analyst, etc) to detect and alert as soon as possible any deviant behavior on any system and potentially automate playbooks to fix any issue detected.

To do so, Falco relies on predefined and/or custom rules that a security team can use to extend Falco’s detection range.

What Is A Falco Rule?

The way Falco manages these rules fits perfectly in the context of the Security as Code methodology where security and policy decisions are codified to be shared and potentially maintained by multiple teams.

Falco rules are the central component of the application to identify the deviant behavior of any component on a cluster. Their definition consists of macros, lists and conditions defined in the YAML files deployed in the default folder or in a specific directory to be interpreted automatically by Falco at startup.

Example of a Falco rule definition to identify the execution of a shell in a container



Writer for

DevOps, Observability, Cloud Computing and Automation!