►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello,
everyone
Welcome
to
Cloud
native,
live
where
we
dive
into
the
code
behind
Cloud
native
I'm,
Annie,
talbasto
and
I
am
a
cncf
Ambassador
and
I
lead
marketing
at
vision
and
I
will
be
your
host
tonight.
So
every
week
we
bring
a
new
set
of
presenters
to
Showcase
how
to
work
with
Cloud
native
Technologies.
A
They
will
build
things,
they
will
break
things
and
they
will
answer
all
of
your
questions,
so
you
can
join
us
every
Wednesday
to
watch
live
so
this
week
we
have
Jesus
and
Vicenta
here
with
us
to
talk
about
Prometheus
plus
Falco,
the
Swiss
army
knife
for
sres
excited
for
this.
So
and
as
always,
this
is
an
official
live
stream
of
the
cncf
and
as
such
it
is
subject
to
the
cncf
code
of
conduct.
B
Well,
hi
everyone
thanks
for
joining
us
today
in
the
in
this
session
we
are
going
to.
We
are
going
to
show
you
how
we
like
to
bring
Falco
into
into
Prometheus,
to
have
a
Falco
insights
in
in
our
parameters,
metrics,
and
we
are
going
to
start
almost
for
from
from
scratch.
So
this
is
this
session
will
be
easy
for
almost
everyone,
so
well
with
you
know
already
introduced.
So,
let's
get
related
for
the
agenda.
C
Yeah
we
we
are
going
to
talk
about
Falco,
falcusa
thread
detection
engine
and
what
it
does
is
it
listens
to
all
the
activity
that
happens
in
your
system
and
it
has
a
set
of
rules
enabled
so
those
rules
are
basically
a
set
of
conditions
that
are
going
to
be
matched
and
when
something
triggers
anomalous,
Behavior
Falco
is
going
to
send
a
lot.
So
that's
what
Falcon
does
your
natural?
It
does
a
lot
more,
but
we
are
going
to
go
into
more
detail.
C
So
can
you
move
to
the
next
tab?
Sure
thank
you.
So
what
does
Fargo
do?
That's
exactly
what
I
describe
right.
So
it's
basically
listen
to
System
calls
and
system
calls
are
necessary
to
let
the
processes
talk
to
each
other.
So
everything
has
to
go
through
the
kernel.
Then
it
matches
all
the
information
that
comes
from
those
system,
codes
and
Compares
them
against
a
set
of
rules.
So
the
moment
that
rule
is
violated.
Let's
say
someone
is
trying
to
open
a
file
that
shouldn't
be
accessed.
Then
it
triggers
an
alert.
C
We
are
going
to
see
the
process
throughout
this
session
and
we
are
going
to
see
how
that
integrates
with
Prometheus.
So
Falco
is
able
to
check
for
privilege,
escalation
for
name
spaces,
access
for
access
to
read
or
write
into
files
or
directory
I
shouldn't
and
so
on
so
forth.
So
you
can
see
a
list
of
all
those
conditions
in
the
website.
You
have
right
in
front
of
you.
You
can
access
that
through
falco.org,
that's
the
documentation
website
and
we
are
going
to
see
now
what
those
rules
look
like.
Very,
very
simple,
very
easy!
C
Can
you
go
to
the
next
tab?
This
is
sure
so
I
as
tell
you,
you
are
sharing
the
link.
That's
great!
Thank
you.
So
those
basic
elements
of
a
Falco
rule
are
an
identifier.
That's
the
rule.
Ide.
We
have
a
description
just
to
tell
the
the
maintainer
what
that
rule
is
doing
an
important
bit
the
condition.
So
in
this
case
we
have
a
system
call
called
xve
which
basically
starts
a
new
process.
C
We
compare
whether
it's
coming
from
the
call
in
the
call
or
from
the
return
of
the
call.
Then
we
compare
that
that
happen
in
a
container
Falco
can
work
in
traditional
servers,
but
it
has
very
good
features
when
it
comes
to
Containers.
So
we
can
tell
you
in
this
node
in
this
container.
Something
Anonymous
happened.
C
You
don't
need
that
if
you
don't
have
containers,
but
if
you
have
them,
it's
absolutely
amazing
and
finally
We
compare
what
kind
of
process
we
started.
So
in
this
specific
rule,
what
we
did
is
to
observe
that
the
shell
was
started
in
a
container,
something
that
well
it
could
happen.
So
we
could
filter
those
rules
out,
but
it
shouldn't
right.
So
that's
a
very,
very
typical
rule
that
we
monitor
using
Falco.
There
are
many
more
and
we
are
going
to
see
a
couple
more
in
a
few
minutes.
C
What
happens
when
a
roll
is
triggered?
Well,
we
need
to
advise
anyone.
We
need
to
tell
anyone
hey
this
rule
has
been
triggered
and
we
need
to
decide
how
we
want
to
do
it.
So
Falco
has
different
channels
to
do
that.
If
we
go
to
Falco
alerts
Jesus,
thank
you.
We
can
see
that
we
can
send
it
to
the
standard
output,
that's
good
for
monitoring,
but
not
very,
very
useful.
If
we
are
doing
a
automated
monitoring,
we
could
send
them
to
a
file
which
is
like
yeah
I'll.
C
Keep
them
here
and
later
I
can
observe
them,
but
the
interesting
bit
is
when
we
send
it
to
somewhere
else.
We
can
send
it
to
an
endpoint
like
Fargo
site
gig,
it's
a
project.
We
are
going
to
talk
about
it
in
a
moment
or
we
could
send
it
to
another
program.
That
does
something
else.
That's
up
to
you.
You
can
choose
what
you
want
to
do
with
those
alerts.
I'm
going
to
show
you
very
very
simply
how
to
configure
the
https
endpoint.
C
So
if
we
go
to
alert
channels
here,
you
can
see
that
we
have
the
standard
output.
I
was
mentioning
before
we
scroll
down.
We
have
the
file
output.
If
we
keep
scrolling
Jesus,
can
you
do
that?
For
me
sure?
Thank
you.
So
this
log
is
also
a
traditional
way
to
put
those
those
alerts.
Keep
scrolling.
Please
I
just
want
to
reach
the
https
endpoint
to
show
them
how
we
are
going
to
configure
in
this
case,
to
use
Fargo
sidekick
there.
C
We
are
very,
very
simple:
we
just
indicate
we
want
a
Json
output
because
that's
going
to
be
enriched
and
that
we
want
to
send
it
to
http
endpoint.
This
endpoint
is
going
to
be,
in
our
case,
a
Falco
sidekick
binary,
that's
going
to
be
deployed
with
the
same
instructions
that
we
deploy
our
Falco
infrastructure
and
that's
simple.
We
only
enable
that-
and
we
set
the
URL
to
the
to
the
end
point
very,
very
easy
to
follow
just
a
bit
more
information.
If
we
open
the
Falco
security
yeah,
that's
the
Falco
repository.
C
We
have
access
to
all
the
repos
here.
You
can
see
the
contributors
on
the
right.
There
are
many
many
projects
we
are
going
to
talk
about
a
couple
of
them,
the
more
important
for
this
session.
So
in
the
next
one
we
can
see,
we
have
the
charts
which
are
used
for
deployment
and
the
last
one
we
are
going
to
skip
the
middle
one
for
a
moment.
C
Okay,
yeah,
that's
going
to
be
falcoside.
Kick
that's
going
to
be
also
automatically
deployed
through
the
charts
right,
so
the
last
Charter,
the
last
tab
I
wanted
to
show
the
Falco
rules
contains
all
the
rules
that
we
can
monitor
with
Fargo
by
default.
That
doesn't
mean
we
are
limited
to
it.
That
means
that
we
offer
already
like
80
rules
and
you
can
customize
them.
We
are
going
to
do
that
through
a
session.
You
can
extend
them,
you
can
delete
them.
You
can
disable
them.
So
there
is
a
lot
of
flexibility
here.
C
B
Okay,
well
I'm
sure
most
of
you
know
already
Prometheus.
Probably
this
is
an
open
source
project
that
that
allows
us
to
monitor
whatever
you
want
to
monitor.
Actually,
it's
actually
the
the
fact
the
standard,
the
factor
standard
for
monitoring
kubernetes,
but
you
can
use
it
for
monitoring
anything
you
want,
but
today
we're
going
to
use
it
to
monitor
kubernetes.
B
There
is
a
a
very
basic
thing
that
everyone
should
know
about:
Prometheus
that,
instead
of
sending
metrics
to
Prometheus
from
our
applications
that
just
like
we
did
with
traditional
strategies.
What
what
we
do
is
we
tell
Prometheus?
Where
are
our
metrics,
so
he
so
it
it
goes
to
to
those
endpoints
to
to
ingest
to
a
script,
those
metrics.
So
that's
the
that's
the
basic,
that's
the
the
main
difference.
B
So
the
first
thing
we
need
to
know
when
we
have
started
using
Prometheus
is
where
or
how
are
we
going
to
to
expose
those
metrics?
So
Prometheus
has
I'm
sorry,
I
I
didn't
share
this.
This
okay,
thanks
thanks
for
today,.
A
As
a
quick
note,
I
see
a
few
people
asking
about
the
links
to
the
chat,
unfortunately,
can't
send
them
to
the
LinkedIn
side
but
they're
in
the
YouTube
side,
and
that's
why
you
can
see
them
on
the
screen
occasionally
for
your
side
and
then
some
precious
is
asking.
How
can
we
get
the
recording?
A
You
can
find
the
recording
for
this
session,
for
example,
from
the
CNC
of
YouTube
immediately
after
the
session
from
the
live
stream
tabs?
So
no
worries
you
can
get
every
second
of
this
goodness
later
on
as
well
so
tune
in
there.
B
Okay,
so
as
I
was
as
I
was
saying,
applications
needs
to
be
properly
instrumented
to
to
send
to
expose
those
metrics
so
parametric
parameters.
Community
has
an
SDK,
so
you
can
instrument
your
application
in
different
languages
and
spray,
not
easy,
but
but
it's
not
it's
not
an
impossible
attack
to
to
to
address
the
thing
is
a
lot
of
traditional.
Very
mature
applications
aren't
instrumented
yet
so
in
the
meantime,
Community
the
community
has
created
what
what
what's
called
an
exporter.
B
So
an
exporter
is
an
application
that
that
runs
along
with
the
with
the
application
you
want
to
instrument
and-
and
it
gets
those
metrics.
For
example,
nginx
has
a
an
exporter,
I,
don't
know
redis
as
an
exporter
Etc.
So
the
first
thing
you
need
to
decide
when
you
start
monitoring
with
Prometheus
is
where,
where
are
where
I'm
going
to
get
those
permit
to
those
metrics
from
so
artistic?
B
We
have
this
open
source
project
that
that
you
can
visit
is
from
cat.io
and
you
can
directly
search
for
the
application
you
want
to
Monitor,
and
it
will
tell
you
if
the
application
is
it's
it's
already
instrumented
or
if,
if
you
need
an
exporter,
it
will
give
you
like
the
home
file
or
or
the
re
or
the
repo
for
to
download
exporter
all
the
configurations
and
also
alerts
well,
the
setup
guide,
for
example,
in
this
case
it's
already
instrumented
some
some
dashboards,
some
graphene
dashboards
and
also
some
alerts.
B
So
this
could
be
like
the
easy
way
for
getting
started
with
Prometheus
and
also
in
this.
In
this
presentation
we
are
visualizing
all
the
metrics
and
and
the
dashboards
and
the
panels
are
in
grafana.
So
we
will
see
that
in
a
in
a
minute.
B
B
Yes,
I'll,
speak
Center
was
pointing
me.
Primitive.Io
is
open
source,
so
anyone
can
do,
can
can
use
this
exporter.
So
it's
there
are
completely
open
source
and
and
no
matter
that
you
are
not
assisting
customer.
You
can
use
them
right
away
in
your
Prometheus,
open
source
infrastructure.
So
don't
worry
about
that.
B
Okay,
so
in
the
in
in
the
demo,
has
as
I
think
I.
It
has
like
two
main
parts.
We
are
going
to
install
and
configure
Falco
Prometheus
grafana
exporters,
everything
that
we
need
to
to
have
in
order
to
do
the
the
troubleshooting
as
a
use
case
scenario,
and
then
we
we're
going
to
have
this
we're
going
to
have
like
a
standard
troubleshoot
and
and
to
learn
how
we
can
use
Falco
and
Prometheus
together,
Okay,
so
I'm,
sorry,
okay,.
B
Okay,
so
we
are
going
to
use
home
file
which
is
a
way
of
orchestrating
home
help
commands
to
have
everything
in
one
in
one
file,
so
we
can
start
a
cc
as
we
are
doing
here,
so
we
are
going
to
use
two
charts,
which
are
the
falca
security
and
the
Primitive
Community
charts
so
be
sente.
Do
you
want
to
explain
what
sure,
okay.
C
So,
as
Jesus
said,
we
are
using
help
file
because
when
we
have
to
deploy
several
applications
at
once,
that's
the
easiest
way
of
doing
it.
We
don't
have
to
run
one
Helm
install
after
each
other.
So
in
this
release
in
this
Falco
release,
what
we
are
doing
is
we
are
using
the
standard,
Falco
security
Fargo
chart.
This
is
supported
by
the
community
and
the
values
we
are
passing
are
basically
two
one
is
the
TTY.
That
means
that
we
want
the
alerts
as
soon
as
they
happen.
Otherwise
they
might
get
buffer.
People
usually
complain.
C
Well,
I,
don't
get
the
alert
the
moment
it
happens.
Yes,
because
you
are
not
monitoring
the
the
tool
by
itself
and
Falco.
Sidekicking
here
is
the
one
that
forwards,
those
alert
to
Prometheus.
So
we
are
going
to
use
two
parameters,
one
to
enable
that
and
the
other
one
is
to
access
the
web.
Ui
falcoside
keycard
is
based
on
two
projects.
One
is
the
the
forwarder
and
the
otherwise
it's
a
very
nice
UI.
That
shows
what
rules
were
recognized
by
Falco
falcoside
key
UI
and
you
can
filter
by
tax.
You
can
filter
by
labels.
A
Great
there's
an
audience
question
suppose
that
I
want
to
monitor
my
pods
on
a
kubernetes
cluster
is
their
node
exporter
or
pod
exporter
directly
usable
yeah.
B
Yes,
well,
it
depends
if
you
install
Prometheus
on
the
with
the
cube
promises,
stack
it's
already
configured
with
the
node
exporter
and
Cuba,
stick
metrics,
so
you're,
so
you're
good
to
go
in
other
scenarios.
Maybe
you
might
have
to
to
Auto
the
jobs
independently,
but
in
the,
if
you
use
this
this
home
this
this
chart,
you
just
need
to
add
the
the
Falco
endpoint.
C
So
yes,
adding
to
the
question
in
the
file
code
chart,
we
are
deploying
photo
sidekick
which
also
offers
the
exporters.
So
there
is
a
possibility
to
monitor
Falco
with
exporters
directly,
but
if
you
use
Falco
sidekick,
they
are
included
okay.
So
it's
just
a
matter
how
you
want
to
deploy
the
tool
and
what
you
feel
more
comfortable
using
Focus
Sidekick
is
over
offers
more
possibilities
than
just
a
simple
exporter
and
Jesus
I.
Let
you
describe
the
yes.
B
Well,
this
is
very
that
this
is
very
easy.
You
just
need
to
use
this
chart
this.
This
is
the
the
ham
chart.
That
is
this.
The
target
is
accurate
in
this
cluster,
so
you
just
it
deploys
the
parameters
operator.
So
if
everything
will
be
running
automatically,
you
will
have
the
node
exporter
KSM
the
key
State,
metrics
and
also
grafana
and
and
all
the
tools
we
are
going
to
use
so
I'm,
using
like,
like
we
created
a
vanilla
cluster
kubernetes
cluster,
and
we
deployed
this
this
this
chart.
B
So
it's
it's,
we
are,
you
are
going
to
see
exactly
what
what
we
are
describing
here.
So
in
this
case,
the
only
thing
we
need
to
add
to
the
chart
is
an
additional
script
config,
so
we
just
need
to
to
have
a
name.
The
script
interval
script
them
out
the
words
the
the
metric
The
Matrix
Path
and
the
end
point
where
what
is
the
the
service
and
the
port
that
within
the
just
showed
us?
Yes,.
C
B
So
we
can
take
a
look
now
as
I
was
saying
sorry
that
wasn't
a
spoiler.
So
now
we
have
Prometheus
and
we
have
a
Matrix
from
Falco
and
also
as
I
was
saying
you
can
you
can
you
can
see
that
we
have
also
the
cube
State
metrics
and
an
exporter
Etc
so
right
now
we
have
this
and
Falco
sidekick
UI.
That
gives
you
like
well
like,
like
the
like
a
nice
overview
of
of
the
things
the
events
triggered
by
Falco
right.
If
you
can
take
it,
do
you
want
to
I.
C
The
the
thing
is
Falco
sidekick
UI
is
not
only
well
focused,
Sidekick
is
not
only
for
water.
It
also
gathers
the
information
of
how
to
set
key
UI,
and
here
we
can.
We
can
filter
by
the
origin
of
those
trigger
rules,
the
priorities
which
are
the
classical
severities
from
a
syslog
scheme.
We
have
the
host
names
in
case
they
come
from
a
node
or
from
different
ports.
We
have
the
rules
that
were
triggered,
so
those
rules
were
little
tests
that
we
were
doing
and
we
also
have
tags.
C
C
B
Okay,
okay,
so
let's
let's
go
forward!
So
in
the
first
version
of
this
home
file,
we
saw
that
we
didn't
add
anything
any
custom
rule
for
Falco,
but
that
will
change
in
a
second.
So,
let's
see
live
our
rule
triggered
by
by
Falco
okay,
so
we
can
go
to
I,
don't
know
until.
C
B
C
B
C
Yeah,
if
you
look
at
the
time
you
can
see
it's
been
triggered
a
few
seconds
ago
and
the
source
basically
says:
Cisco's
Falcon
is
able
to
detect
not
only
Cisco's
but
all
also
events
from
other
sources
like
audit
logs
from
cloudtrailers
from
cloud
watch.
In
this
case
we
are
keeping
it
simple.
We
are
monitoring
ciscalls.
Only
the
hostname
is
I
can
see
the
font.
Can
you
can
you
just
move
the
mouse
on
it?
It's
because
of
the
color
I
think
the
contrast
is
yeah.
A
C
Well,
kind
of
it
says
Falco
anyway,
so
is
the
container
where
this
happened
and
if
you
look
at
the
outputs
well,
that's
basically
what
we
had
at
the
end
of
the
rule.
We
can
use
parameters
here.
We
can
add
text,
we
can
add
as
much
information
as
we
want.
In
this
case
it
says
that
the
command
sh
was
executed.
The
container
ID
is
in
there
the
kubernetes
Pod
is
called
nginx
exporter,
that's
the
one
Jesus
connected
to,
and
it
even
says
the
PID
in
the
host
in
the
system,
not
the
piano
in
the
container.
C
That
wouldn't
be
that
useful.
Probably
we
could
add
the
information
too
if
we
want
it.
And
finally,
this
is
also
interesting.
The
image
the
container
is
based
on
because
then,
when
we
set
rules
and
exceptions,
we
would
say
I
trust
those
images,
I
trust
those
binaries
I
trust
those
hosts.
We
can
combine
them
as
we
want.
Okay,
so
that
would
be
the
output
of
an
automatically
trigger
rule
like.
B
B
So
what
we
are
going
to
do
right
now
is
to
start
a
busy
box
pot,
and
then
we
are
going
to
access
it,
but
instead
of
doing
just
an
S8
we're
going
to
do
bpc,
bcbox
S8,
so.
B
B
C
Right,
the
reason
is
that
the
shell
that
we
are
comparing
it
to
it,
belongs
to
a
list
and
compassionals
like
ksh
CSH
bash
the
classical
sh,
but
it
doesn't
compare
with
pcbox.
So
what
we
have
done
is
we
have
extended
the
previous
help
file
that
you
saw
before
and
we
have
added
a
new
rule.
That's
the
only
difference.
We
create
a
new
rule.
We
trigger
a
synchronization
of
the
helm
file
and
this
is
how
the
rule
looks
like.
So,
if
we
look
at
the
condition,
basically,
it
uses
a
couple
of
macros.
B
Maybe
we
we
should
show
what
what
could
what
we
did
for
creating
this
rule.
This
new
rule
was
a
copy
and
pasting
an
existing
rule
from
the
Falco
GitHub
that
that
we
showed
earlier
and
then
tweaking
it
right
to
to
fit
our
needs.
Okay,.
C
Yeah,
if
you
want
to
open
the
the
rules
repository,
you
can
find
the
rule
very
easily.
Just
look
for
the
word
terminal,
I,
think
that
will
bring
it
there
in
a
moment,
and
in
that
rule
we
are
comparing
with
that
list
of
shells.
Since
we
wanted
to
to
show
this
specific
case,
we
have
changed
that
part.
So
here
again
it
Compares
that
a
new
process
has
been
started.
It
happens
inside
a
container,
and
this
is
where
it
changes.
We.
Compare
that
the
process
name
is
BusyBox.
C
One
thing
to
take
into
account
is
that's
not
going
to
compare
pcbox
sh,
that's
going
to
compare
BusyBox,
so
every
command
that
comes
with
this
box
and
for
those
that
don't
know
pcbox
yet
visible.
Busybox
is
actually
a
Swiss
knife.
It
contains
a
lot
of
commands
and
it's
like
a
rubber.
You
call
BusyBox
shp's
box,
fds
piece
box
LS,
and
it
will
execute
that
section
of
its
code,
so
it
Compares
that
the
process
name
is
BusyBox
Compares
that
we
are
doing
something
interactively.
C
This
is
important
because
if
the
shell
is
started
non-interactively,
it
will
have
a
different
configuration
and
well,
in
this
case,
a
few
more
parameters
and
at
the
end
we
have
an
output
that
we
have
customized
as
well,
so
BusyBox
instance
versus
Power
right.
So
how
we
add
this
rule?
Basically,
we
have
is
scroll
a
little
bit
up.
Yes,
this
font
is
huge.
Sorry.
C
B
B
Yes,
we
terminal
bcbox
instance,
and
that
happens
a
few
minutes
ago
three
minutes
ago,
and
this
is
exactly
the
new
rule
that
we
create.
B
Now
we
we
had
this
annoying
event
that
we
we
didn't
want
to
to
to
appear
in
the
in
the
events,
but
that
was
something
rated
with
with
Prometheus,
so
what
we
did
was
creating
an
exception
right.
That's
the
next
thing
we
we
created,
so
we
can
go
to
the
step
three.
C
Right
so
we
have
another
file,
yes,
another
exception
which
basically
reuses
the
same
rule,
ID
that
we
have
before
contact
kubernetes
abs
are
from
container
that
rule
already
existed.
What
we
are
going
to
do
is
to
extend
the
conditions
to
trigger
the
alert,
because
we
don't
want
it
to
triggered
when
we
use
a
specific
image.
This
is
an
image
We
Trust,
so
you
can
see
the
exceptions
is
a
list.
The
name
is
the
the
ID
of
that
first
exception
and
we
are
comparing
three
Fields.
One
is
the
name
space
where
this
event
happens.
C
The
second
one
is
the
post
name
and
the
third
one
is
the
image
we
are
using.
One
thing
to
remember
when
we
write
rules
is
that
if
we
are
very
generic,
we
are
going
to
have
a
lot
of
noise,
so
we
have
to
be
very
specific,
and
if
we
are
too
specific,
the
rule
is
not
going
to
be
triggered
and
we
might
be
having
false
negatives.
C
B
Use
the
starts
with
comparison
right
exactly.
C
It
starts
with
Prometheus
grafana
would
be
like
a
prefix
and
the
third
one,
the
container
image
repository
we
are
using
the
in
operator,
which
is
a
an
operator
that
looks
for
instances
in
a
list.
This
is
why
we
created
a
list
inside
that
list
and
the
image
we
are
going
to
filter
is
kiwi
grid,
kubernetes
Sidecar.
C
So
the
moment
this
event
happens
with
this
those
specific
conditions.
It's
going
to
it's
going
to
ignore
the
rule:
it's
not
going
to
trigger
it.
So,
with
this
little
little
relatively
small
content,
we
are
adding
extra
functionality
to
our
role,
either
exceptions
or
extending
the
functionality
add
to
us.
B
Okay,
so
now,
let's
go
to
the
to
the
next
part,
which
is
a
more
more
or
less
real
use
case.
B
So
imagine
we
have
this
this,
this
cluster,
that
we
are
running
things
and
we
we
saw
that
something's
happening.
If,
if
you
take
a
look
here,
you
can
see
that
the
CPU
utilization
has
has
increased
dramatically
in
the
last
in
the
last
hours.
B
So
we
don't
know
what's
happening
here,
so
we
can
do
some,
some
troubleshooting
and
well
it's.
It
says
that
that
something's
happening
with
in
the
default
in
the
in
the
in
the
default
namespace.
So
what
what
we
can?
What
we
can
do
here
is
having
the
the
traditional
approach
that
that
approach
will
would
be
something
like
going
to
Dynamic
spaces.
B
So
we
have
these
five
plots
and
some
things
happening
with
them
or
something
happening
with
them.
They
are
requesting
to
some
awkward,
endpoints
and
calculating
stuff,
and
so
we
can
do
this
and
we
control
shoot
this
situation
which,
in
KSM
and
going
and
going
through
through
all
this
information,
to
end
up
knowing
that
that
that
this
is
because
of
a
crypto,
Miner.
B
Okay,
we
we
had
some
someone
that
started
the
crypto
five
crypto
minor
posts,
so
what
we
have,
what
we
could
have
done
instead
is
using
Falco
to
detect
these
kind
of
threats
how,
by
creating
a
new,
a
new
rule
that
detects
clip
domainers.
So
how
can
we
do
this?
Actually.
C
B
C
C
Yeah,
a
bit
detect
outbound
connections
that
first
one
right.
So
if
you
look
at
the
enable
field,
you
are
going
to
see
that
the
rule
is
disabled.
What
this
rule
does
is
it
compares
the
connections
we
are
doing
with
a
specific
list
of
domains
and
a
set
of
ports
and
basically
ignores
a
set
of
images
because
well
those
images
might
be
requesting
something
legit
from
those
domains
right.
So
the
only
thing
we
need
to
do
to
enable
that
is
to
reuse
the
rule,
ID
and
change
the
enable
field
to
true.
C
So
if
we
look
at
now
at
our
latest
modification
on
the
helm
file,
you
can
see
the
rule
ID
and
the
enabled
true.
That
would
be
also
a
way
of
extending
the
rule
functionality,
but
we
don't
use
append
like
in
the
beginning.
We
use
only
enable
field
because
we
are
not
adding
conditions
or
exceptions
so
that
those
three
lines
are
the
ones
that
are
going
to
to
start
our
rules
and
because
of
the
how
the
grid
command
is
working.
It's
going
to
start
triggering
a
lot
of
alerts.
B
Okay,
so
now,
if
we
go
to
the
the
Falco
sidekick
UI,
which
is
here
now,
we
can
okay.
So
we
have
like
a
lot
of
events.
B
Okay,
detecting
this
crypto
Miner,
so
now
that
we
have
that
alert,
how
can
we
see
it
in
Prometheus?
So
how
can
we
integrate
this
knowledge,
this
metrics,
this
information
in
our
troubleshooting,
dashboards
and
and
Flow?
B
So
now
that
we
have
this,
we
have
this
this
over
here
and
the
first
thing
we
can
do
is:
okay,
let's,
let's
have
a
look
at
the
events
of
our
clusters,
so
we
can
like
we
created
this
password,
which
is
called
Falcon
events,
and
in
this
dashboard
you
can
you
can
see
that
something's
happening
okay,
so
we
already
know
the
name.
The
namespace
that
is
is
having
this
CPU
utilization
increase.
So
we
can
filter
here
and
say:
okay,
this
is
in
the
default.
B
So
what
we
see
here
is
that
that
we
are
triggering
1.5
events
per
second
of
Falcon
events
per
second
and
there's
only
there's
only
one
event
with
which
is
this:
one:
detect
outbound
connections
to
Common
minor
pull
parts.
So
in
one
simple
step,
we
detected
it
just
by
adding
Falco
metrics
into
Prometheus
and
create
and
created
this,
this
graphana
dashboard,
which
is
very
simple,
but
you
can
see
that
these
events
have
been
have
have
increased.
B
If,
if
you,
you
can
select
all
the
namespaces
and
maybe
instead
of
that
five
minutes,
you
can
the
last
12
hours.
B
So
you
can
see
that
that
that
this,
the
only
detection
that
we
have
right
now,
I,
don't
know.
Why
is
this?
Is
this
rule,
but
we
should
have
more
I
I
mean
there.
There
would
be
one
line
per
per
detection
and
also
we
we
have
here
this
table
that
that
shows
us
a
workload
overview.
So
if
we
go
back
to
the
default
namespace,
we
can
see
right
from
this
right
from
this
dashboard
that
what
are
the
pots
related
with
this?
B
So
now,
apart
from
being
reactive,
we
can
also
be
proactive
and
we
can
configure
some
alerts
right
because
let's
see
how
how
we
can
do
it
with
follicle
first
and
then
we
can
do
it
with
Prometheus.
B
C
Sorry
Focus
headgeek
has
a
very
white
set
of
options
or
possibilities.
Can
you
open
the
Falco
side
kick
repository
for
a
moment.
C
You
scroll
down,
you
are
going
to
see
that
Falco
sidekick
supports
different
chat.
Applications
like
slack
or
Discord
or
telegram,
is
supported
only
in
the
on
the
code
Branch,
but
it's
going
to
come
out
in
a
few
days.
It
also
supports
Prometheus.
That's
one
thing
that
we
are
using
at
the
moment:
it
also
supports
alert
manager,
Patriot
Duty
or
you
could
send
it
to
different
logs
aggregators,
like
lastic
Splunk
and
so
on
so
forth,
so
to
configure
either
of
those.
You
would
basically
give
some
parameters.
C
So
if
you
keep
scrolling,
you
are
going
to
see
a
set
a
bit
lower,
more
and
more
yeah
a
bit
more.
So
in
the
Falco
configuration
this
would
be
the
Falco
jaml
configuration
file
so
how
to
tell
Falco
that
we
are
sending
those
events
to
Sparkle
sidekick.
This
is
the
information
I
was
showing
before
and
if
you
keep
scrolling
down,
I
just
want
to
go
to
the
environment
variables
that
we
use
keep
keep
going.
Oh,
this
is
the
the
general
file.
What
we
would
pass
to
the
to
the
helm
chart.
C
A
C
Have
environment
variables
like
this
car
dislike
webhook
URL?
This
URL,
basically
is
a
web
hook,
configure
first
lag
and
every
time
there's
a
new
alert
that
has
a
severity
higher
than
the
one
we
defined
it's
going
to
send
a
message
to
this
like
channel.
So
if
we
go
now
to
the
deployment,
you
will
see
that
the
configuration
for
that
is
actually
very,
very
simple.
We
set
here
the
environment
variable
slack,
webcook,
URL
and
then
the
web
Hook
is
based
on
a
slack
workspace
that
is
created
anonymously
and
this
like
minimum
priority.
B
C
B
In
case
you
use
already
use
other
manager,
graphene
and
Prometheus.
You
can
also
use
the
other
manager
to
do
this.
You
can
see
it
in
the
in
the
repo,
but
you
can
okay,
we
can
do.
We
have
an
alert
Mana
here
comfy
here,
so
you
can
deploy
the
alert
manager
to
Channel
with
with
this
configuration.
B
Basically,
you
just
need
to
make
the
group
by
and
then
configure
the
receiver.
This
is
this
possible
email
that
that
we
create
here
and
the
alert
itself.
I'm
sorry
alert,
and
this
is
the
alert
that
we
want
to
to
use.
So
we
are
going
to
use
this
metric
Falco
events
and
I
want
to
have
all
the
events
that
have
to
attack
the
label.
Priority
set
to
critical
and
then
I
want
to
have
this
information
for
its
it's
one
of
the
of
the
events.
B
So
if,
for
one
minute,
I
get
I
keep
getting
these
events
in
Falco,
then
I
will
be.
Three
I
will
be
notified
in
other
manager,
and
this
summary
it's
is
that
this
critical
rule
triggered
and
we
can
use
the
the
labels
as
variables
for
the
message.
So
if
everything
is
okay,
now,
okay,
we
can
go
here.
Oh
okay,
I
just
delete
it.
B
Now
I
can
go
to
alerts
and
then
go
to
firing,
and
then
I
can
see
that
there
is
critical
rule
triggered
and
if
we
configure
the
our
alert
group
to
send
to
a
slack
telegram
email
wherever
you'll
see
that
that
is
what
this
was
sent
to
to
the
group
and
the
the
value
one
one,
the
the
same
value
we
saw
in
rafana
one
event
and
a
half
per
second
was
being
triggered
for
this
for
the
for
the
critical
priority.
B
So
this
was
everything
we
we
wanted
to
to
show
you
guys.
This
is.
This
was
how
we
integrated
the
Falco
metrics
inside
Prometheus
and
how
we
used
it
in
a
pretty
common
use
case.
A
Perfect
so
I
guess
now
it's
starting
to
beat
time
per
q,
a
good
all.
C
Right
so
I
saw
a
question
where
falgo
has
a
rule
engine.
How
does
the
rules
work?
Well,
basically,
what
Falco
does
is
it
captures
the
information
from
either
Source
from
the
ciscos
from
the
audit
logs
from
whatever,
and
it
creates
a
structure
right.
That
structure
is
something
we
can
parse
something
we
can
use
to
filter
and
those
rules
are
basically
indicating
which
filters
we
want
to
which
fields
we
want
to
filter.
So,
in
the
case
of
a
Cisco
we
could
say
a
file
has
been
opened.
C
The
name
of
the
file
was
la
la
the
process
that
opened
the
file
was
Lily
and
the
moment
all
that
matches.
Then
we
have,
we
have
a
trigger
right
and
we
have
to
be
careful
how
we
write
the
rules,
because
the
moment
our
rule
is
triggered,
then
it's
not
going
to
continue
looking.
Otherwise,
we
could
have
like
20
rules
triggered
by
the
same
events
basically
goes
for
more
specific
to
more
generic,
and
that
applies
to
anything
we
want.
B
C
I
think
my
route
has
a
second
question
a
bit
more
interesting.
How
do
we
address
the
never-ending
process
of
writing
the
rules?
Yeah?
The
that's
that's
a
difficult
question,
because
we
we
have
an
endless
set
of
sources,
applications
that
we
could
be
filtering
and,
of
course
the
candle
has
more
ciscos.
The
kubernetes
of
the
logs
adds
more
information.
So
that's
something
that
is
not
going
to
to
end.
We
have
to
be
watching
our
rules.
We
have
to
remove
false
positives.
C
We
have
to
be
careful
with
false
negatives
and
the
latest
release
of
Falco
has
added
a
new
functionality
which
is
a
way
of
Distributing
the
rules
as
an
oci
artifact.
What's
that
well,
an
OCR
defect
could
be
a
container
image.
Well,
we
use
the
same
technology.
We
put
the
rules
files
inside
a
something
that
looks
like
a
container
image
and
we
store
them
in
a
container
registry.
C
Falco
CTL
is
a
binary
that
comes
with
Falco
and
is
able
to
observe
when
there
is
a
new
version
of
the
set
of
rules
and
downloads.
The
rules
automatically
Fargo
is
going
to
realize
of
that,
and
it's
going
to
reload
those
rules.
We
expect
that
more
people
are
going
to
start
Distributing
Rules
by
now,
and
we
hope
that
helps
to
have
a
more
variety
set
of
rules.
We,
we
don't
have
a
specific
case
at
the
moment,
but
that's
going
to
open
a
new,
a
new
wall
of
possibilities.
A
B
No
I
don't
know
about
that.
I
guess
you
are
referring
to
having
multiple
bu
different
troubleshooting
views
in
a
dashboard.
I
think
rafana
doesn't
allow
that.
As
far
as
I
know,
what
you
can
do
instead
is
is
creating
link
panels
to
go
from
one
panel
to
another.
The
other
thing
we
did
here
is,
as
I
usually
are
going
to
need
some
overview
on
the
workloads
I
created
this
this
panel
over
here,
which
we
can
all
the
this
dashboard
is
in
the
in
the
GitHub
repo.
B
Just
for
your
information,
you
can
you
you
have
you
can
here
you
have
the
deviation
that
you
can
import
into
into
grafana
in
installation,
so
you
can
I.
I
said
this:
I
wrote
this
query
to
have
all
the
information
I
needed
ports
and
the
workloads
and
the
anonymity
spaces,
and
it's
with
this
variable
over
here.
So
with
with
just
one
click
I
can
change
the
the
scope
of
the
dashboard,
but
as
far
as
I
know,
you
can
have
multiple
dashboards
in
one
View.
A
Yeah
and
then
Ricardo
asks
is
there
a
base
set
of
rules
out
of
the
box
to
use
for
determined
security,
posture
or
kubernetes
cluster
very,
very
interesting
question.
C
So
yeah
there's
a
set
of
D4
rules,
but
we
have
to
take
into
account
that
Falco
does
runtime
detection.
So
it's
not
going
to
give
you
the
positive,
the
secure
posture
of
your
cluster.
Okay,
that's
not
something
that
you
find
out
when
you
execute
your
workloads,
so
what
Falco
does
is
it
goes
to
One
Step
later
after
you
have
already
scan
your
images
and
Harden
your
system.
Everything
is
running,
but
something
could
happen.
Your
workloads
could
be
attacked.
Your
image
could
have
been
compromised
and
this
kind
of
didn't
realize
so
in
random
security.
C
What
we
do
is
we
monitor
what
happens
during
the
execution.
This
is
why
we
wouldn't
use
Falco
for
security,
posturing,
okay,
the
the
set
of
D4
rules
as
Boniface
said:
yeah.
They
sorry
internet
guidance,
it's
there
and
we
receive
a
lot
of
new
rules
every
every
year.
The
community
is
contributing
takes
time
to
bet
them.
So
if
you
want
to
contribute
as
well
feel
free
to
to
join,
to
review
the
rules
with
us,
we
are
really
really
welcoming
people
to
do
that.
A
Great
from
Boniface
who
asked
what
is
the
advantage
of
using
files
so
Falco
instead
of
elasticsearch
all.
C
C
The
problem
that
it
has
according
to
to
Fargo
technology
is
that
you
have
to
gather
the
data
first
and
then
you
can
start
looking
for
patterns
right
and
it's
very
good
to
keep
track
and
look
for
what
happened
after
it
happened.
However,
Falco,
as
I
said,
it's
random
security,
it
detects
the
action
when
it
happens.
C
If
you
want
to
keep
that
information,
you
want
to
send
it
elastic
perfect,
that's
a
great
idea,
but
what
we
do
is
we
detect
as
soon
as
it
happens,
and
we
call
that
stream
detection
so
the
moment
it
happens,
you
get
an
alert.
Maybe
you
want
to
trigger
a
remediation
action
like
you
want
to
kill
the
Pod.
This
is
something
you
wouldn't
be
able
to
to
do
with
elastic
in
elastic.
You
have
a
record
of
the
events
of
the
locks,
but
with
Falcon
you
have
instant
action.
A
Great
questions
other
ones
than
these
so
far,
and
we
have
few
minutes
left.
So
if
anyone
is
typing
away
and
trying
to
get
a
question
in
do
so
fast,
so
this
is
I.
Think
kind
of
the
last
call
for
questions.
While
we
see
if
anyone's
typing
away
their
Center
has
to
do
have
any
kind
of
final
words,
anything
that
you
want
to
add
stuff.
C
I
think
I
already
said
that
we
are
a
cncf
project
and
as
most
of
the
CNC
projects,
we
are
constantly
looking
for
contributors.
It's
it's
a
break
for
everyone,
I
think
everyone
can
can
use
it
in
a
very,
very
useful
way.
So
if
you
guys
like
this
technology-
or
you
find
it
useful,
just
come
to
the
slack
Channel
or
attend
a
community
call
or
Pingas
and
any
any
mean
just
go
to
falco.org
community,
and
you
can
find
a
lot
of
means
to
to
connect
to
us.
C
A
Perfect
I
think
those
were
really
really
important
call
to
action
there.
Everyone
should
go
ahead
and
join
in
and
while
that
important
reminder
was
happening,
internet
guidance
asked
I
think
pretty
much
the
final
question
of
this.
At
this
time
they
asked.
Does
it
work
with
ebpf.
C
Very
good
question:
we
haven't
mentioned
anything
about
the
the
driver
technology,
so
I
said
we
kept
your
system
calls.
Originally
we
were
using
a
kernel
module,
but
we
also
supported
Epps.
The
problem
with
those
two
technologies
is
that
you
have
to
compile
them
for
each
for
each
kernel
version
so
yeah.
First
of
all,
we
support
tvpf
and
second,
with
the
newest
Falco
release
we
are
going
to.
We
are
going
to
release
something.
We
call
a
modern
ebpf
driver,
which
is
basically
a
curry.
A
Perfect
great
note
to
end
today's
stream
ad.
So
oh
final
question:
it
always
Pops
in
at
the
last
minute.
We
have
time
yeah,
we
have
time
for
it.
So
Taco
works
on
Windows
kernel.
Also
ask
Krishna
no.
C
Not
at
the
moment,
what
we
could
eventually
see
is
a
plugin
to
translate
Falco
SRE
Windows
events
into
Falco
events.
So,
as
I
said,
we
have
those
Funko
plugins
that
could
be
used
for
that,
but
I
don't
know
of
any
Windows
Falco
plugin
at
the
moment.
A
Yeah
and
great
no
worries
question.
You
said
sorry
in
the
chat.
This
is
exactly
why
we're
here
to
answer
questions
so
perfect
for
asking
one,
but
that's
starting
to
be
it
for
today.
Thank
you,
everyone
for
joining
the
latest
episode
of
cloud
native
live.
It
was
great
to
have
a
session
about
Prometheus
plus
Falco,
the
Swiss
army
knife
for
a
series,
and
we
also
really
love
the
audience.
Interaction
and
questions
always
happy
to
see
those
and
we
bring
you
the
latest
Cloud
native
code,
every
Wednesday.