►
From YouTube: Defend: Active Response with Falco PoC Demo
Description
Demo prepared as a part of the proposed solution for https://gitlab.com/gitlab-org/gitlab/-/issues/216983.
In this video we are presenting how to achieve Active Response engine with simple Go application and Falco, that can run scripts that are using ie. kubectl, curl, or any other bash commands.
A
Hello:
everyone,
my
name,
is
Alan
per
chef,
Sookie,
I'm,
Becca,
engineer
at
defense
stage
get
lap,
and
today
I
would
like
to
talk
briefly
about
our
POC
that
recurrence
the
building
for
Falco
active
response
engine.
So
Falco
is
well
known
cloud
native,
run
time,
security
tool
that
we
would
like
to
utilize,
but
the
one
problem
with
that
is
that
it
can
detect
things
only
and
who,
like
also
to
be
able
to
build
on
top
of
our
Falco,
something
that
will
allow
us
to
prevent
and
lock
and
actually
build
the
active
response
system
based
on
Falco.
A
There
are
plenty
of
tutorials
available
over
the
internet
that
you
can
build
it
using
Falco,
Nats
and
cue
bliss,
which
is
great,
and
you
can
achieve
lots
of
great
things
with
that,
but
that's
a
lot
of
additional
tools
that
you'll
need
to
maintain.
So
we
would
like
to
think
about
something
a
much
simpler
than
that.
So
that's
why
we
are
utilizing
one
of
the
Falco
capabilities
being
able
to
output
the
events
to
external
program
or
to
external
or
network
the
channel.
So,
for
example,
here
you
can
can
just
do
that.
A
Cats
given
host
with
a
port
number
and
then
it
will
automatically
send
all
events
that
are
happening
to
external
application,
so
we
actually
build
something
like
that.
We
build
simple
application
and
go.
That
is
basically
like
a
server
that
accepts
that
connection
from
that
cat
and
whenever
there
is
some
new
event,
it
can
react
based
on
that,
so
we
try
to
build
it
like.
This
is
just
a
POC.
It's
very
simple
application
just
meant
to
be
simple
and
and
easy
to
use.
So
you
have
to
specify
your
alerts
and
the
scripts
I'd
like
to
use.
A
Let
me
show
you
how
those
alerts
could
look
like.
So
whenever
there
is
a
rule
and
that's
the
name
of
the
rule
in
Falco
that
terminal
shell
is
in
container
is
being
executed,
then
this
script
should
be,
should
be
run.
So
we
have
demo
SH
and
here
for
this
demo,
I
have
prepared
an
in
scripts
config
map
I
have
prepared
the
script.
That
is
actually
saying
that
something
is
happening
to
the
console.
A
It
is
taking
the
pod
name
from
the
event,
so
even
our
events
are
being
sent
as
JSON
files
so
like
this,
so
we're
using
JSON
query
to
be
able
to
get
the
deep
old
name
out
of
it.
So
we
have
the
pod
name.
We
are
we
gonna
echo
depart
so
we
know
on
which
pod
that
malicious
behavior
is
happening.
Then
we
gonna
show
and
describe
what's
going
on
the
part
and
we're
going
to
delete
it.
I'll
show
you
that
an
example
I
just
want
to
go
quickly
through
to
what
we
have
here.
A
So
okay,
we
have
the
main
application
go.
This
is
just
a
like
simple
server
that
accepts
the
connection
and
gets
the
events
and
based
on
the
alerts
you
have
configured.
It
can
reacts
just
by
running
those
scripts,
it's
very
simple,
and
then
we
we
have
the
demon
set
that
that
will
run
it
on
every
single
node.
So
you're
gonna
have
that
application
installed
in
your
cluster
and
every
single
file.
Co
active
response
app
will
be
installed
on
each
node.
So
the
only
thing
we
need.
A
We
need
to
provide
the
key
volumes
with
with
conflicts
and
that's
all
what
we
need.
Then
we
have
a
service.
So
since
it's
working
on
the
node-
and
we
would
like
to
do
to
execute
this-
this
application
from
Falco
we
decided
to
choose
now
sports
whenever
there's
something
happening
on
the
netiquette
channel
will
be
open
and
it
will
be
sent
immediately
to
to
note
or
to
this
application
running
on
this
port,
and
then
we
have
an
account.
So
this
is
just
a
service
account
that
will
allow
us
to
manipulate
with
with
kubernetes.
A
So
we
know
you
can
get
only
parts
and
you
can
delete
those
posts.
That's
all
what
you
need
to
do
and
we're
going
to
use
that
service
account
in
in
our
deployment
in
our
dataset.
Okay.
So
that's
what
we
have
here.
Let
me
go
here
and
I'll.
Let
me
start
from
doing
like
getting
the
pods
that
we
already
running.
I
already
started
T,
active
response,
team
and
said
I
already
started
a
Falco
and
some
other
application
I
can
actually
and
now
I
can
I
can
get
the
logs
from
Falco
that
something
is
happening.
A
So,
let's
think
it.
The
logs
okay,
so
here
we
have
the
logs
here,
I
already
started
the
application
actually
I
can
I
can
just
do
the
same,
so
I'm
getting
deluxe
from
from
the
Themis
that
that's
running
here,
as
you
can
see,
I've
already
started
it
so
when
it
was
started,
it's
sad
that
the
other
it
was
loaded.
So
whenever
this
this
rule
will
be
executed,
we're
gonna
run
this
script
and
that
we're
already
running
and
that's
something
in
the
past
that
happened
I
had
to
test
it
before
this
demo.
A
A
So
what
what
you
see
here
is
actually
a
dead
even
was
triggered,
so
the
shell
was
spawned
and-
and
that
even
was
then
sent
to
our
to
our
Falco
active
response
application,
and
then
it
immediately
started
like
the
alert
was
triggered.
It
said:
okay,
I'm,
reacting,
there's
something
wrong
is
happening.
We
we're
showing
the
what
it
is
actually
what
was
the
poet
is
about,
and
then
we
were
saying.
Oh,
this
pod
is
going
to
be
deleted
right.
A
So,
as
you
can
see
in
Italy
here
that
the
pod
was
deleted,
terminated
and
then
delete
it
and
I
was
revoked
from
access
to
the
bash
shell,
so
that
would
be
it
about
active
response.
This
is
just
the
POC.
We
were
trying
to
to
find
the
best
solution
to
serve
the
customers,
but
this
is
the
simplest
solution
you
can
get
here.
Thank
you.
Bye,
bye,.