performing-cloud-native-forensics-with-falco

Solid

Uses Falco YAML rules for runtime threat detection in containers and Kubernetes, monitoring syscalls for shell spawns, file tampering, network anomalies, and privilege escalation. Manages Falco rules via the Falco gRPC API and parses Falco alert output. Use when building container runtime security or investigating k8s cluster compromises.

DevOps & Infrastructure 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
89
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing Cloud Native Forensics with Falco ## When to Use - When conducting security assessments that involve performing cloud native forensics with falco - When following incident response procedures for related security events - When performing scheduled security testing or auditing activities - When validating security controls through hands-on testing ## Prerequisites - Familiarity with cloud security concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions Deploy and manage Falco rules for runtime security detection in containerized environments. Parse Falco alerts for incident response. ```yaml # Custom Falco rule for detecting shell in container - rule: Shell Spawned in Container desc: Detect shell process started in a container condition: > spawned_process and container and proc.name in (bash, sh, zsh, dash, csh) and not proc.pname in (docker-entrypo, supervisord) output: > Shell spawned in container (user=%user.name command=%proc.cmdline container=%container.name image=%container.image.repository) priority: WARNING tags: [container, shell, mitre_execution] ``` Key detection rules: 1. Shell spawn in non-interactive containers 2. Sensitive file access (/etc/shadow, /etc/passwd) 3. Outbound connections from unexpected containers 4. Privilege escalation via setuid/setgid 5. Container e...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Docker · Infrastructure Kubernetes · Infrastructure gRPC · API

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-container-escape-with-falco-rules

Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file access, and privilege escalation.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

detecting-privilege-escalation-in-kubernetes-pods

Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and syscall patterns with Falco and OPA policies.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

analyzing-docker-container-forensics

Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-container-drift-at-runtime

Detect unauthorized modifications to running containers by monitoring for binary execution drift, file system changes, and configuration deviations from the original container image.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

performing-cloud-forensics-investigation

Conduct forensic investigations in cloud environments by collecting and analyzing logs, snapshots, and metadata from AWS, Azure, and GCP services.

12,642 Updated today
mukul975