Falco is the CNCF runtime security project that detects threats in real time — container escapes, shell spawns, sensitive file access, and suspicious network activity. It has a free gRPC and REST API for querying alerts and managing rules.
Open source, no license needed. Used by companies like Shopify, GitLab, and Booz Allen.
Why Use the Falco API?
- Real-time threat detection — get alerts the moment a container spawns a shell or reads /etc/shadow
- Kubernetes-native — auto-enriches alerts with pod, namespace, and deployment context
- Custom rules — write YAML rules for your specific security policies
- Stream alerts — consume events via gRPC for SIEM integration
Quick Setup
1. Install Falco
# Helm install on Kubernetes
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true
# Or on Linux
curl -fsSL https://falco.org/script/install | sudo bash
sudo systemctl start falco
2. Query Alerts via REST (Falcosidekick UI)
# Falcosidekick exposes alerts on port 2801
curl -s http://localhost:2801/api/v1/events | jq '.[] | {rule: .rule, priority: .priority, output: .output, time: .time}' | head -20
3. Stream Alerts via gRPC
# Enable gRPC in falco.yaml
# grpc:
# enabled: true
# bind_address: "0.0.0.0:5060"
# Use falcoctl or grpcurl
grpcurl -plaintext localhost:5060 falco.outputs.service/get
4. List Loaded Rules
# Via Falco HTTP API (enabled with --http-output)
curl -s http://localhost:8765/healthz
# Returns Falco health status
Python Example
import requests
import json
FALCO_SIDEKICK = "http://localhost:2801"
# Get recent events
events = requests.get(f"{FALCO_SIDEKICK}/api/v1/events").json()
for e in events[:10]:
print(f"[{e['priority']}] {e['rule']}")
print(f" Output: {e['output']}")
print(f" Time: {e['time']}")
if 'output_fields' in e:
container = e['output_fields'].get('container.name', 'N/A')
print(f" Container: {container}")
print()
Key Endpoints
| Use Case | Endpoint | Method |
|---|---|---|
| Health check | /healthz | GET |
| Get events | /api/v1/events (sidekick) | GET |
| Stream alerts | gRPC :5060 | Stream |
| Get version | /version | GET |
| Webhook output | /api/v1/webhook | POST |
Example Rules
- rule: Terminal shell in container
desc: Detect shell spawned in a container
condition: spawned_process and container and proc.name in (bash, sh, zsh)
output: "Shell spawned in container (user=%user.name container=%container.name shell=%proc.name)"
priority: WARNING
- rule: Read sensitive file
desc: Detect read of sensitive files like /etc/shadow
condition: open_read and fd.name in (/etc/shadow, /etc/passwd) and container
output: "Sensitive file read (file=%fd.name container=%container.name)"
priority: CRITICAL
Need custom data extraction or scraping solution? I build production-grade scrapers for any website. Email: Spinov001@gmail.com | My Apify Actors
Top comments (0)