You are viewing documentation for Falco version: v0.32.2

Falco v0.32.2 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Event Sources

Last modified August 8, 2022

Falco can consume events from a variety of different sources and apply rules to these events to detect abnormal behavior.

Falco natively supports the System Call event source (syscall) via the drivers. Since Falco 0.31, Falco also supports additional event sources through the Plugin System:

In addition to these plugins hosted by the Falcosecurity organization, others have written third-party plugins that support additional event sources. Please refer to the official Plugin Registry for the most up-to-date information regarding the Falco plugins acknowledged by the community.

Falco Drivers

CloudTrail Events

Kubernetes Audit Events

Okta Events

Actions For Dropped System Call Events

Generating sample events


Last modified August 8, 2022: Fixing a duplicity of weights (51820d3)