Falco alerts are a powerful tool for detecting suspicious activity on your systems, but their real value is unlocked when you integrate them into your Security Operations Center (SOC) and Security Information and Event Management (SIEM) systems. This isn’t just about getting more logs; it’s about transforming raw security events into actionable intelligence that your SOC team can use to respond effectively.
Let’s see how this looks in practice. Imagine Falco detects a suspicious process execution.
{
"output": "07:53:07.016348677: Notice A process with an unusual file system write was detected. It was run by the root user. File: /var/lib/docker/overlay2/abcdef1234567890/merged/usr/bin/sshd, User: root, User ID: 0, CMDLINE: /usr/sbin/sshd -D -f /etc/ssh/sshd_config",
"priority": "Notice",
"rule": "An unusual file system write by a privileged user",
"time": 1678886047016348677,
"tags": [
"filesystem",
"write",
"privileged"
],
"source": "syscall",
"fd.name": "/var/lib/docker/overlay2/abcdef1234567890/merged/usr/bin/sshd",
"user.name": "root",
"user.uid": 0,
"proc.cmdline": "/usr/sbin/sshd -D -f /etc/ssh/sshd_config"
}
This JSON output is the raw material. To make it useful for your SOC, you need to send it to a central logging system (like a SIEM) that can aggregate, enrich, and alert on it.
The primary mechanism for integrating Falco alerts is through its output plugins. Falco supports several output destinations, including Syslog, Elasticsearch, Kafka, and gRPC. For most SOC/SIEM integrations, Syslog, Elasticsearch, or Kafka are the most common choices.
Syslog: If your SIEM ingests logs via Syslog, you can configure Falco to send its alerts to a local or remote Syslog server. This is often the simplest method for existing log pipelines.
- Configuration: In your
falco.yamlfile, you’d set an output plugin for Syslog:outputs: - output: syslog format: "json" # Sending JSON to Syslog is generally preferred for easier parsing priority: "notice" # Specify the syslog server, e.g., localhost:514 for a local rsyslog # or a remote IP:port syslog_output: "127.0.0.1:514" - Why it works: The Syslog plugin formats the Falco alert as a Syslog message and sends it over UDP or TCP to the configured destination. Your SIEM then picks up these Syslog messages.
Elasticsearch: For many modern SIEMs, particularly those built on the ELK stack (Elasticsearch, Logstash, Kibana), outputting directly to Elasticsearch is highly efficient.
- Configuration:
outputs: - output: elasticsearch format: "json" priority: "notice" # Elasticsearch host and port elasticsearch_output: "http://elasticsearch-host:9200" # Optional: specify an index name prefix and age for rotation index: "falco-%Y-%m-%d" - Why it works: Falco directly sends JSON documents to your Elasticsearch cluster. This bypasses the need for an intermediate agent like Filebeat or Logstash for ingestion, making the flow very direct. Elasticsearch then indexes these events for searching and analysis within Kibana or your SIEM’s interface.
Kafka: If your environment uses Kafka as a message bus for log aggregation, Falco can publish its alerts to a Kafka topic. This decouples Falco from your SIEM directly and allows multiple consumers to subscribe to the alerts.
- Configuration:
outputs: - output: kafka format: "json" priority: "notice" # Kafka broker list kafka_brokers: "kafka-broker1:9092,kafka-broker2:9092" # The Kafka topic to publish to kafka_topic: "falco-alerts" - Why it works: Falco acts as a Kafka producer, sending each alert as a message to the specified topic. A Kafka consumer (which could be Logstash, a custom application, or even your SIEM if it has Kafka integration) then reads these messages.
Beyond just sending the raw alerts, the real integration power comes from enrichment and correlation.
Enrichment: When an alert hits your SIEM, it’s often just a string of data. To make it actionable, you need context. This might involve:
- IP Geolocation: Mapping the source IP of a network connection to a geographical location.
- User Information: Linking a User ID (e.g.,
user.uid: 0) to a specific username and their role within the organization. - Asset Information: Identifying the server or container the alert originated from, including its purpose, owner, and criticality.
- Threat Intelligence: Checking observed IPs, domains, or file hashes against known malicious indicators.
Your SIEM or an intermediate tool like Logstash can perform these lookups using external data sources (e.g., MaxMind GeoIP database, Active Directory, CMDBs, threat intel feeds).
Correlation: A single Falco alert might be a low-priority event on its own. However, when correlated with other events (from Falco or other sources), it can indicate a much larger, more sophisticated attack. For example:
- A Falco alert for a suspicious shell spawn (
proc.name: bash) followed by a SIEM alert for a large outbound data transfer from the same host. - Multiple Falco alerts for unusual file modifications across several servers, indicating a lateral movement attempt.
- A Falco alert for a privileged container escape combined with a network alert for unusual outbound connections from that container’s host.
Your SIEM’s correlation engine is key here. You’ll define rules within your SIEM that look for patterns of these enriched Falco events, triggering higher-priority incidents for your SOC analysts.
The most surprising true thing about integrating Falco alerts is how much of the "intelligence" you can push back into Falco itself. While many focus on the SIEM’s role in enriching and correlating, Falco can also be configured to perform basic lookups and add context before sending the alert. For instance, using the remote output plugin, you can send enriched data directly to a remote endpoint that then forwards it to your SIEM. More importantly, Falco’s rule engine itself can be incredibly sophisticated. You can write rules that don’t just trigger on a single syscall but on a sequence of events within a specific time window, effectively performing local correlation. This reduces the load on your SIEM and can lead to faster detection by having the alert generated closer to the source.
Once Falco alerts are flowing into your SIEM, correlated, and enriched, the next step is to operationalize your response. This often involves defining playbooks within your SIEM or SOAR (Security Orchestration, Automation, and Response) platform to automate actions like isolating a compromised host, blocking an IP address, or creating a ticket for a security analyst.