Chapter 12. Consuming Falco Events
At this point, youâve learned how to run and configure Falco. You understand how Falco can be used for runtime and cloud security and how it can detect a vast spectrum of threats. Now, itâs time to focus on what you can do with Falcoâs detections. Consuming Falcoâs output is the final piece of the puzzle and the subject of this chapter.
Alerts generated by Falco are helpful for observing and securing your production system, and we will give you some advice on how to use those alerts proficiently. The first part of the chapter is about tools that help you consume Falcoâs outputs effectively. We will teach you how to get notified immediately when Falco detects a security threat, so your security team can react as soon as possible and take appropriate countermeasures. Finally, weâll show you a mechanism for automatically responding to threats to speed up response times.
Working with Falco Outputs
A minimal Falco installation outputs a simple textual log that you can store for later consultation, but this is not very useful. Fortunately, more intelligent tools allow you to work with Falcoâs outputs and expand its possibilities, and these are an important part of integrating Falco into your ecosystem.
This section will talk in detail about two tools that we have already mentioned in the book. The first, falco-exporter, is a tool designed to do one thing and do it well: produce metrics from Falcoâs detected events. The second, Falcosidekick, ...
Get Practical Cloud Native Security with Falco now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
