Threat Hunting at Scale - Auditing Thousands of Clusters With Falco and Fluent

Explore a comprehensive threat hunting strategy for auditing thousands of Kubernetes clusters using Falco and Fluent Bit. Learn how Trendyol tackles the challenge of tracking components, resources, users, and teams across their extensive production-grade Kubernetes infrastructure. Discover the power of Kubernetes audit logs in monitoring cluster changes, and see how Falco consumes kernel events, enriching them with Kubernetes information. Understand the role of Fluent Bit in collecting logs from various sources, including containers and Falco, and how it extends them with filters before sending to multiple destinations. Dive into the implementation of a highly-available log aggregation system using Loki, and learn about creating and managing alerting rules for log data. Follow along as the speakers combine these elements to introduce a novel Audit Monitoring System, complete with demonstrations and insights into overcoming challenges in large-scale threat hunting.

Introduction
Presentation Overview
Falco Overview
Falco Data Pipeline
Why Falco with Log Processor
Monitoring
Log Query
Log Organization
Metric Queries
Challenges
Specs
Dashboards
Demo
Bonus