Extend Falco with Plugins - Trigger Alerts with Any Stream of Events

Explore the evolution and extended capabilities of Falco, a cloud-native runtime security project, in this 42-minute CNCF conference talk. Dive into Falco's architecture, including libscap and libsinsp libraries, and learn about the new plugin system that allows for triggering alerts with any stream of events. Discover the technical details of source and extractor plugins, their implementation, and settings. Gain insights into the Plugin SDK Go, its benefits, and how to get started. Examine real-world applications, such as the AWS Cloudtrail and JSON plugins, through a live demonstration. Understand ongoing developments like shared libraries for plugins and see how Falco can be applied to pet surveillance. Conclude with useful links and information on how to contribute to the Falco project.

Intro
What is Falco: Reminder
What is Falco: Now
Falco Architecture
libscap aka library for System Capture
libsinsp aka library for System INSPection
Falco: the Evolution
Plugins: Technical Details
Plugins: 2 Flavors
Source plugins: Sequence Diagram
Extractor plugins: Sequence Diagram
Plugins: Settings
Plugins: Technical Caveats
Plugin SDK Go: Why
Plugin SDK Go: Getting started
Plugins: The Registry
AWS Cloudtrail Plugin
JSON Plugin
Demo Time
WIP: Shared libs/modules for plugins
Falco with Real World: Pet Surveillance
Useful links
Contribute to Falco