falco.org

Implement a Falco plugin in Go using the plugin-sdk-go SDK: register source and extractor capabilities in init(), implement Open() to return a source.Instance, and implement NextBatch() to generate batched events

Configure Falco to load plugins via falco.yaml plugins and load_plugins settings, and install plugin artifacts with falcoctl

Integrate Falco with gVisor (runsc) to monitor syscall events inside gVisor sandboxes

Deploy the Falco k8smeta plugin and k8s-metacollector to enrich Falco syscall events with Kubernetes pod and workload metadata

Author Falco rules using the priority, output, and exceptions fields to tune detection and reduce false positives

Write a Falco custom rule using macros and lists to detect outbound network connections from web server processes

Configure Falco macros and lists for reusable container-aware conditions across multiple rules

Deploy Falco with the k8saudit plugin to detect Kubernetes API server audit events

Run Falco with the modern-eBPF driver instead of the kernel module or legacy eBPF probe

Configure Falcosidekick to fan out Falco alerts to Slack, an S3 bucket, and a webhook simultaneously

Install and update Falco rules artifacts using falcoctl with an OCI-based artifact registry

Write Falco rules using proc.cmdline and fd.name field selectors to detect credential file reads

Write a Falco custom rule to detect suspicious exec inside a container

Configure Falco lists and macros to build reusable rule conditions

Detect eBPF-based runtime threats in a Kubernetes cluster using Falco with eBPF driver

Forward Falco runtime security alerts to a webhook endpoint