<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ebpf on Tarragon</title><link>https://tarrragon.github.io/blog/tags/ebpf/</link><description>Recent content in Ebpf on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Mon, 18 May 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/tags/ebpf/index.xml" rel="self" type="application/rss+xml"/><item><title>Falco</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/falco/</link><pubDate>Mon, 18 May 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/falco/</guid><description>&lt;p>Falco 是 CNCF Graduated 的 runtime cloud-native threat detection engine、原 Sysdig 開源、Apache 2.0 license。它在 host / container 上用 eBPF（或 kernel module / userspace fallback）攔截 syscall、跟 Plugin 拉到的 audit log 串成同一條 event stream、丟給 Rule engine 比對 YAML rule、命中後 alert 到 stdout / Falcosidekick / SIEM。它跟商業 CNAPP runtime 模組（&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &amp;#43; CSPM &amp;#43; CWS &amp;#43; AAP &amp;#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog CWS&lt;/a> / &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/lacework/" data-link-title="Lacework" data-link-desc="CNAPP 走 Polygraph ML behavioral baseline 路線、2024 跟 Fortinet 合併成 FortiCNAPP、自動學 normal、anomaly 自動 alert">Lacework Polygraph&lt;/a> / &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &amp;#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud Defender&lt;/a>）的差異在 &lt;em>OSS rule-based vs SaaS ML-based + 平台廣度 + 自動 response 的工程責任歸屬&lt;/em>、偵測技術本身相近。&lt;/p>
&lt;h2 id="服務定位">服務定位&lt;/h2>
&lt;p>Falco 的核心定位是 &lt;em>K8s container runtime detection engine 的 OSS 基準&lt;/em>、不是 full CNAPP、也不是 inline enforcement。底層 Driver 分三層：&lt;em>modern eBPF&lt;/em>（Linux 5.8+、預設）、&lt;em>legacy kernel module (kmod)&lt;/em>（舊 kernel fallback）、&lt;em>pdig userspace probe&lt;/em>（沒 root 或非 Linux）；Driver 抓 syscall 跟 K8s audit / cloud audit event、送進 Falco engine；engine 用 Sysdig filter syntax 比對 YAML rule、命中後吐 alert。Plugin 系統讓 Falco 看到非 syscall event（K8s audit log、Okta event、GitHub audit、AWS CloudTrail）— 變成 &lt;em>general detection engine&lt;/em>、不只 host runtime。&lt;/p>
&lt;p>跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/cilium-tetragon/" data-link-title="Cilium Tetragon" data-link-desc="eBPF-based runtime security &amp;#43; inline enforcement、跟 Cilium CNI 同生態、TracingPolicy CRD、process credentials tracking &amp;#43; KillerAction">Cilium Tetragon&lt;/a> 比、Falco 走 &lt;em>rule engine + alert-only&lt;/em>、Tetragon 走 &lt;em>eBPF + 可 enforce kill action&lt;/em>；Falco 偵測為主、Tetragon 偵測 + 防護。跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &amp;#43; CSPM &amp;#43; CWS &amp;#43; AAP &amp;#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security&lt;/a>（CWS）比、Datadog 是 SaaS observability 上加 runtime security view、ML-based behavioral baseline 內建、但 vendor lock + per-host 計費；Falco 是 OSS 自管、rule 完全可寫、但 ML baseline / threat intel / cross-source correlation 要自己接 SIEM。跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/lacework/" data-link-title="Lacework" data-link-desc="CNAPP 走 Polygraph ML behavioral baseline 路線、2024 跟 Fortinet 合併成 FortiCNAPP、自動學 normal、anomaly 自動 alert">Lacework&lt;/a> Polygraph 比、Lacework 走 behavior graph 自動建 baseline、Falco 走 rule-explicit、邊界看得到也好 audit。&lt;/p></description><content:encoded><![CDATA[<p>Falco 是 CNCF Graduated 的 runtime cloud-native threat detection engine、原 Sysdig 開源、Apache 2.0 license。它在 host / container 上用 eBPF（或 kernel module / userspace fallback）攔截 syscall、跟 Plugin 拉到的 audit log 串成同一條 event stream、丟給 Rule engine 比對 YAML rule、命中後 alert 到 stdout / Falcosidekick / SIEM。它跟商業 CNAPP runtime 模組（<a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog CWS</a> / <a href="/blog/backend/07-security-data-protection/vendors/lacework/" data-link-title="Lacework" data-link-desc="CNAPP 走 Polygraph ML behavioral baseline 路線、2024 跟 Fortinet 合併成 FortiCNAPP、自動學 normal、anomaly 自動 alert">Lacework Polygraph</a> / <a href="/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud Defender</a>）的差異在 <em>OSS rule-based vs SaaS ML-based + 平台廣度 + 自動 response 的工程責任歸屬</em>、偵測技術本身相近。</p>
<h2 id="服務定位">服務定位</h2>
<p>Falco 的核心定位是 <em>K8s container runtime detection engine 的 OSS 基準</em>、不是 full CNAPP、也不是 inline enforcement。底層 Driver 分三層：<em>modern eBPF</em>（Linux 5.8+、預設）、<em>legacy kernel module (kmod)</em>（舊 kernel fallback）、<em>pdig userspace probe</em>（沒 root 或非 Linux）；Driver 抓 syscall 跟 K8s audit / cloud audit event、送進 Falco engine；engine 用 Sysdig filter syntax 比對 YAML rule、命中後吐 alert。Plugin 系統讓 Falco 看到非 syscall event（K8s audit log、Okta event、GitHub audit、AWS CloudTrail）— 變成 <em>general detection engine</em>、不只 host runtime。</p>
<p>跟 <a href="/blog/backend/07-security-data-protection/vendors/cilium-tetragon/" data-link-title="Cilium Tetragon" data-link-desc="eBPF-based runtime security &#43; inline enforcement、跟 Cilium CNI 同生態、TracingPolicy CRD、process credentials tracking &#43; KillerAction">Cilium Tetragon</a> 比、Falco 走 <em>rule engine + alert-only</em>、Tetragon 走 <em>eBPF + 可 enforce kill action</em>；Falco 偵測為主、Tetragon 偵測 + 防護。跟 <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a>（CWS）比、Datadog 是 SaaS observability 上加 runtime security view、ML-based behavioral baseline 內建、但 vendor lock + per-host 計費；Falco 是 OSS 自管、rule 完全可寫、但 ML baseline / threat intel / cross-source correlation 要自己接 SIEM。跟 <a href="/blog/backend/07-security-data-protection/vendors/lacework/" data-link-title="Lacework" data-link-desc="CNAPP 走 Polygraph ML behavioral baseline 路線、2024 跟 Fortinet 合併成 FortiCNAPP、自動學 normal、anomaly 自動 alert">Lacework</a> Polygraph 比、Lacework 走 behavior graph 自動建 baseline、Falco 走 rule-explicit、邊界看得到也好 audit。</p>
<p>關鍵張力：<em>偵測 vs 防護</em> 跟 <em>rule-explicit vs ML-baseline</em> 是兩條取捨軸。Falco 預設只發 alert、要 inline kill / cordon 要靠 Falco Talon 或外接 SOAR；rule 完全可寫是優點也是負擔 — 自家 anti-pattern 要自己寫成 condition、不像 SaaS CNAPP 預設有 ML baseline。</p>
<h2 id="本章目標">本章目標</h2>
<p>讀完本頁、讀者能判斷：</p>
<ol>
<li>Falco 在 K8s runtime security stack 中承擔哪一段（syscall detection / audit log detection / alert forwarding）、哪些要外接（Talon / SIEM / SOAR）</li>
<li>Driver 選擇（modern eBPF / kmod / pdig）跟 kernel 環境 / 部署模型 的對應、選錯會 silent miss event</li>
<li>Rule 寫作的 ownership 設計（誰寫、誰 review、staging 怎麼觀察 false positive）</li>
<li>何時用 Falco、何時改走 Tetragon（要 enforcement）或商業 CNAPP（要 ML baseline + 跨雲 posture）</li>
</ol>
<h2 id="最短判讀路徑">最短判讀路徑</h2>
<p>判斷 Falco deployment 是否健康、最少看四件事：</p>
<ul>
<li><strong>Driver 是否符合 kernel 環境</strong>：modern eBPF on 5.8+ / kmod on legacy / pdig on serverless 或 non-root container；driver 跟 kernel 不對等於 silent miss，要看 <code>falco --version</code> 跟啟動 log 確認 driver 載入成功</li>
<li><strong>Rule ownership 跟 lifecycle</strong>：Falco 內建 rule（<code>falco_rules.yaml</code> / <code>k8s_audit_rules.yaml</code>）+ 自家 custom rule 是否走 Git PR review、staging tenant 跑幾小時觀察 false positive、再 promote production</li>
<li><strong>Alert sink + downstream routing</strong>：Falco 預設輸出 stdout / file / syslog、production 幾乎都接 Falcosidekick 做 fan-out（Slack / SIEM / S3 / Webhook），跟 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a> 的接點明確</li>
<li><strong>Response 是 alert-only 還是有 enforcement</strong>：純 alert 走 <a href="/blog/backend/08-incident-response/" data-link-title="模組八：事故處理與復盤" data-link-desc="用 IR 領域詞彙建問題節點、以服務級案例庫累積事故脈絡，先建概念與案例庫再進實作交接">8 事故處理</a> routing；要自動 kill pod / cordon node 需 Falco Talon 或 SOAR、且 high-impact action 走 approval gate</li>
</ul>
<p>四件事任一缺失、就是 <a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">Detection Coverage and Signal Governance</a> 邊界的待補項目。</p>
<h2 id="日常操作與決策形狀">日常操作與決策形狀</h2>
<p><strong>Driver layer</strong>：Falco 三種 driver — <em>modern eBPF</em>（CO-RE、Linux 5.8+、預設、不需 kernel header）、<em>legacy kernel module</em>（kmod、舊 kernel 唯一選、要 DKMS build）、<em>pdig</em>（userspace、ptrace-based、非 root container 或 macOS dev 環境用、效能差）。production K8s deployment 幾乎都走 modern eBPF、DaemonSet 部署到每個 node、kernel 版本不夠才走 kmod；不要混用 driver、否則 alert source 難對齊。</p>
<p><strong>Rule YAML 結構</strong>：Falco rule 由 <code>condition</code>（Sysdig filter syntax、類 SQL where）、<code>output</code>（alert template、含 field interpolation）、<code>priority</code>（emergency / alert / critical / error / warning / notice / informational / debug）、<code>tags</code>（mitre / cis / NIST 對應）組成。<code>condition</code> 寫法跟 Linux syscall 緊耦合（<code>evt.type=execve</code>、<code>fd.name=/etc/passwd</code>、<code>proc.name=nc</code>）— rule engineer 要對 syscall 跟 process tree 熟悉。<code>macro</code> 跟 <code>list</code> 讓 rule 可重用（<code>macro: container_started</code> / <code>list: shell_binaries</code>）、production rule 庫應該 macro-first、不是每條 rule 重寫 condition。</p>
<p><strong>Plugin ecosystem</strong>：Plugin 把 Falco 從 host syscall 擴張到任意 event source — <em>k8saudit plugin</em> 接 K8s API server audit log（看 RBAC change / Secret access）、<em>cloudtrail plugin</em> 接 AWS CloudTrail、<em>okta plugin</em> 接 Okta system log、<em>github plugin</em> 接 GitHub audit log。Plugin 讓 Falco 成為 <em>general detection engine</em>、不只 container runtime；但 plugin event source 跟 SIEM 重疊、要清楚 ownership — <em>Falco 做近 host 即時偵測、SIEM 做跨來源歷史 correlation</em>、別兩邊都跑同一條 rule。</p>
<p><strong>Falcosidekick + alert fan-out</strong>：Falco engine 預設輸出 stdout / file / gRPC、production 接 Falcosidekick（DaemonSet 旁邊或單獨 Deployment）做 fan-out — 同一個 alert 同時 forward 到 Slack（SOC chat）、Splunk HEC / Elastic / Loki（SIEM 持久化）、S3（合規 archive）、Webhook（自家 dashboard）、Prometheus（metrics）。Sidekick 是 stateless forwarder、不做 dedup / aggregation、那層要在 SIEM 處理。</p>
<p><strong>Falco Talon + 自動 response</strong>：Talon 是 response orchestrator、訂閱 Falcosidekick 的 webhook output、依照 rule action 自動執行 — kill pod、cordon node、加 NetworkPolicy、call webhook 通知 SOAR。Talon 把 <em>偵測 → 處置</em> 從手動 SOC playbook 變 declarative YAML、但 high-impact action（kill prod pod、cordon node）必須走 approval gate 或限制在 staging namespace、不能黑箱 fire-and-forget。對應 <a href="/blog/backend/07-security-data-protection/blue-team/detection-to-response-routing/" data-link-title="7.B2 從偵測到回應的路由" data-link-desc="建立資安偵測訊號如何轉成 triage、severity、升級與 incident workflow 的大綱">Detection to Response Routing</a> 的章節原則。</p>
<p><strong>Helm chart 部署 + GitOps</strong>：Falco 官方 Helm chart 把 DaemonSet（Falco engine + driver）、Deployment（Falcosidekick）、ConfigMap（rule YAML）、ServiceAccount + RBAC 包成一組。生產 deployment 走 Argo CD / Flux 同步 Helm value、rule YAML 進 Git PR review、merge 觸發 staging tenant deploy、人工觀察 24-48hr false positive、再 promote production。Rule 直接改 ConfigMap、不走版控等於 detection drift、後續審計接不上。</p>
<p><strong>跟 SIEM / 8 事故處理整合</strong>：Falco alert 經 Falcosidekick 進 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a> 後、走跟其他 detection signal 同一條 correlation + triage 管線、不獨立 channel。Notable / high-priority alert 進 <a href="/blog/backend/08-incident-response/" data-link-title="模組八：事故處理與復盤" data-link-desc="用 IR 領域詞彙建問題節點、以服務級案例庫累積事故脈絡，先建概念與案例庫再進實作交接">8 事故處理</a> 的 IR queue、走 incident commander handoff。</p>
<h2 id="核心取捨表">核心取捨表</h2>
<table>
  <thead>
      <tr>
          <th>取捨維度</th>
          <th>Falco</th>
          <th>Cilium Tetragon</th>
          <th>Datadog CWS</th>
          <th>Lacework Polygraph</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>License</td>
          <td>Apache 2.0 OSS</td>
          <td>Apache 2.0 OSS</td>
          <td>Commercial SaaS</td>
          <td>Commercial SaaS</td>
      </tr>
      <tr>
          <td>Detection 模型</td>
          <td>Rule-explicit（YAML + Sysdig filter）</td>
          <td>Rule-explicit（YAML + TracingPolicy）</td>
          <td>ML-based behavioral baseline + rule</td>
          <td>Behavior graph 自動 baseline</td>
      </tr>
      <tr>
          <td>Enforcement</td>
          <td>Alert-only（Talon 補 response）</td>
          <td>Inline enforce（kill / signal、可阻擋）</td>
          <td>Inline enforce（Datadog Agent）</td>
          <td>Alert + workload baseline drift</td>
      </tr>
      <tr>
          <td>Driver</td>
          <td>modern eBPF / kmod / pdig</td>
          <td>eBPF only（cilium ecosystem）</td>
          <td>eBPF（Datadog Agent）</td>
          <td>eBPF（Lacework Agent）</td>
      </tr>
      <tr>
          <td>涵蓋面</td>
          <td>Container + host + plugin (audit log)</td>
          <td>Container + host（cilium 整合 network）</td>
          <td>Container + host + cloud + app</td>
          <td>Cloud + container + workload + IaC posture</td>
      </tr>
      <tr>
          <td>Cross-source</td>
          <td>靠 Plugin + Falcosidekick → SIEM</td>
          <td>靠 Cilium Hubble + 外接 SIEM</td>
          <td>內建（Datadog observability plane）</td>
          <td>內建（Polygraph graph）</td>
      </tr>
      <tr>
          <td>學習曲線</td>
          <td>中 — Sysdig filter + macro</td>
          <td>中 — TracingPolicy + cilium 知識</td>
          <td>緩 — 沿用 Datadog UI / Workload Security</td>
          <td>緩 — SaaS console</td>
      </tr>
      <tr>
          <td>適合場景</td>
          <td>OSS-first、SIEM 已部署、rule 想完全可寫</td>
          <td>要 inline enforcement、cilium CNI 已用</td>
          <td>Datadog 已用、cloud-native、預算允許</td>
          <td>CNAPP + posture 一站、跨雲</td>
      </tr>
      <tr>
          <td>退場成本</td>
          <td>低 — rule 是 YAML、可移植 Sigma</td>
          <td>中 — TracingPolicy 跟 cilium 綁定</td>
          <td>高 — Workload Security rule 跟 platform 綁</td>
          <td>高 — Polygraph data 跟 platform 綁</td>
      </tr>
  </tbody>
</table>
<p>選 Falco 的核心訴求：<em>K8s container runtime detection、OSS + rule-customizable、SIEM 已部署、SOC 有 detection engineer 寫得了 Sysdig filter rule</em>。要 inline enforcement 直接走 Tetragon；要 ML baseline + 跨雲 posture + 不想自管 rule lifecycle 直接走 Datadog CWS / Lacework / <a href="/blog/backend/07-security-data-protection/vendors/wiz/" data-link-title="Wiz" data-link-desc="Agentless CNAPP、Security Graph &#43; Toxic Combination 風險優先級、API-only scan 不需 workload agent">Wiz</a> + <a href="/blog/backend/07-security-data-protection/vendors/crowdstrike-falcon-cs/" data-link-title="CrowdStrike Falcon Cloud Security" data-link-desc="CrowdStrike 在 Falcon endpoint EDR 之上的 CNAPP、agent 統一跨 endpoint &#43; workload &#43; container、CrowdStrike Intelligence 內建">CrowdStrike Falcon CS</a>。</p>
<h2 id="進階主題">進階主題</h2>
<p><strong>Custom rule 設計</strong>：production rule 庫應該 <em>macro-first</em>、把可重用條件抽成 macro（<code>container_started</code> / <code>sensitive_mount</code> / <code>shell_in_container</code>）跟 list（<code>shell_binaries</code> / <code>sensitive_files</code>）；rule 引用 macro 而非重寫 condition、修改 macro 等於同時更新所有引用 rule。Rule 反例是 <em>single-event noisy rule</em>（看到一個 shell exec 就 alert）— production rule 應該 <em>context-bounded</em>（shell exec <strong>in container</strong> + parent <strong>不在 allowlist</strong> + image <strong>非 trusted registry</strong>）+ priority 階梯（生產 Notice、staging Warning、新規則先 Informational 觀察）。</p>
<p><strong>eBPF driver vs kmod 取捨</strong>：modern eBPF 用 CO-RE（Compile Once, Run Everywhere）、不需 per-kernel build、運行時動態 attach；kmod 需要 DKMS 在 host build、跟 kernel version 強耦合、升級 kernel 要重 build。所有現代 Linux distro 預設都該走 modern eBPF；只有 RHEL 7 / 老 Ubuntu LTS（kernel &lt; 5.8）才有理由用 kmod。pdig 給沒 root / 沒 eBPF 的環境（某些 serverless container、macOS dev）、效能差不適合 production。</p>
<p><strong>Falco Talon 自動 response 設計</strong>：Talon 把「Falco alert → 自動處置」變 declarative — rule action 可以是 <em>kubernetes:terminate-pod</em>、<em>kubernetes:label-pod</em>、<em>kubernetes:cordon-node</em>、<em>aws:disable-iam-user</em>、<em>calico:add-networkpolicy</em>。production 用 Talon 的關鍵原則：<em>high-impact action 走 approval gate</em>（PagerDuty incident → human approve → execute）、<em>containment-first not deletion</em>（先 cordon + label、再人工決定是否 terminate）、<em>blast radius 限制</em>（只能影響特定 namespace / label selector）、<em>audit trail</em>（每個 action 進 Splunk + IR queue）。</p>
<p><strong>Plugin ecosystem 邊界</strong>：Plugin 把 Falco 變 general detection engine、但要明確 plugin event 跟 SIEM 重疊處的 ownership。建議：<em>host syscall + container runtime → Falco rule</em>（即時 + low latency）、<em>K8s audit + cloud audit + IdP audit → 同時跑 Falco plugin（近即時 alert） + SIEM（歷史 correlation）</em>、<em>純跨來源 correlation（多 user 多 source 多時段）→ SIEM 為主</em>。別讓 Falco plugin 跟 SIEM rule 跑重複條件、會 double-alert 也 double-cost。</p>
<p><strong>Sigstore + SBOM 整合的位置</strong>：Falco 不做 image scan / SBOM 驗證（那是 <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> / <a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">Syft &amp; Grype</a> 的位置）、但 runtime detection 是 <a href="/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">Supply Chain Integrity</a> 縱深防禦的最後一層 — image scan 過、簽章驗證過、但 runtime 出現異常 syscall（log4shell 觸發 outbound LDAP、SolarWinds 合法簽章但行為異常）、Falco rule 是最後抓的點。</p>
<h2 id="排錯與失敗快速判讀">排錯與失敗快速判讀</h2>
<ul>
<li><strong>Falco 啟動成功但完全沒 event</strong>：driver 沒載入（modern eBPF 在舊 kernel fallback 失敗）— 看啟動 log 確認 <code>driver loaded successfully</code>、<code>falco --version</code> 對 driver 版本、舊 kernel 改 kmod</li>
<li><strong>大量 false positive 淹沒 SOC</strong>：rule 寫太寬（<code>shell in container</code> 但合法 debug shell 也 trigger）— staging tenant 跑 48hr 統計 FP、加 exception list 或改 macro 排除已知合法 source、新 rule 先 Informational priority 觀察</li>
<li><strong>Alert 沒進 SIEM</strong>：Falcosidekick 沒接、或 output channel 設錯 — 確認 Falcosidekick Deployment up、output webhook 對、SIEM HEC token 沒過期；Falco engine 本身的 stdout / file output 仍會留、不會 silent miss</li>
<li><strong>Rule update 後 detection drift</strong>：直接改 ConfigMap、沒走 Git PR + staging 觀察 — 強制 GitOps（Argo CD / Flux）、ConfigMap immutable、rule change 必須走 PR review + staging promote</li>
<li><strong>Plugin event lag / 漏抓</strong>：plugin polling cloud audit log（CloudTrail / Okta）的 latency 跟 API rate limit、不是即時 — 純即時偵測別靠 plugin、改靠 SIEM streaming ingest；plugin 適合補 syscall 看不到的層</li>
<li><strong>Talon 自動 response 誤殺 prod</strong>：rule action 直接 kill pod、沒 approval gate — 高影響 action 拆成兩步（先 label + cordon、再人工 approve terminate）、blast radius 限 namespace / label selector、audit trail 全進 SIEM</li>
<li><strong>eBPF driver 跟 kernel 升級不對齊</strong>：node kernel 升級後 modern eBPF 仍 CO-RE 自動適配、但 Falco 版本太舊不支援新 syscall — Falco engine 跟著定期升級、別 pin 在兩年前的 version</li>
</ul>
<h2 id="何時改走其他服務">何時改走其他服務</h2>
<table>
  <thead>
      <tr>
          <th>需求形狀</th>
          <th>改走</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>要 inline kill / enforcement</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/cilium-tetragon/" data-link-title="Cilium Tetragon" data-link-desc="eBPF-based runtime security &#43; inline enforcement、跟 Cilium CNI 同生態、TracingPolicy CRD、process credentials tracking &#43; KillerAction">Cilium Tetragon</a></td>
      </tr>
      <tr>
          <td>ML behavioral baseline + 跨雲</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a>、<a href="/blog/backend/07-security-data-protection/vendors/lacework/" data-link-title="Lacework" data-link-desc="CNAPP 走 Polygraph ML behavioral baseline 路線、2024 跟 Fortinet 合併成 FortiCNAPP、自動學 normal、anomaly 自動 alert">Lacework</a>、<a href="/blog/backend/07-security-data-protection/vendors/wiz/" data-link-title="Wiz" data-link-desc="Agentless CNAPP、Security Graph &#43; Toxic Combination 風險優先級、API-only scan 不需 workload agent">Wiz</a></td>
      </tr>
      <tr>
          <td>Full CNAPP + posture + runtime</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud</a>、<a href="/blog/backend/07-security-data-protection/vendors/crowdstrike-falcon-cs/" data-link-title="CrowdStrike Falcon Cloud Security" data-link-desc="CrowdStrike 在 Falcon endpoint EDR 之上的 CNAPP、agent 統一跨 endpoint &#43; workload &#43; container、CrowdStrike Intelligence 內建">CrowdStrike Falcon CS</a></td>
      </tr>
      <tr>
          <td>Image scan / SBOM / SCA</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a>、<a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">Syft &amp; Grype</a>、<a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a></td>
      </tr>
      <tr>
          <td>Cross-source SIEM correlation</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a>、<a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a>、<a href="/blog/backend/07-security-data-protection/vendors/google-security-operations/" data-link-title="Google Security Operations" data-link-desc="Google 雲原生 SIEM &#43; SOAR &#43; Mandiant threat intel 三合一（前 Chronicle）、UDM &#43; YARA-L、fixed-price by data tier、PB-scale 友善">Google Security Operations</a></td>
      </tr>
      <tr>
          <td>Incident routing</td>
          <td><a href="/blog/backend/08-incident-response/vendors/" data-link-title="事故處理 Vendor 清單" data-link-desc="規劃 on-call、incident response、status page 與 postmortem 工具的服務頁撰寫順序與判準">8 事故處理 vendor 清單</a></td>
      </tr>
  </tbody>
</table>
<h2 id="不在本頁內的主題">不在本頁內的主題</h2>
<ul>
<li>Sysdig filter syntax 完整 reference、syscall field 細目</li>
<li>Falco source code 內部架構（libsinsp / libscap）</li>
<li>Sysdig Secure（Falco 的商業版、Sysdig Inc. 維護、含 ML baseline + cloud posture）的功能對照細節</li>
<li>Container image scan / SBOM 驗證（屬 <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> / <a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">Syft &amp; Grype</a> 的位置）</li>
<li>Kubernetes RBAC / Pod Security Standards / NetworkPolicy 的設計（屬 K8s 平台層、不在 runtime detection 範圍）</li>
</ul>
<h2 id="案例回寫">案例回寫</h2>
<p>Falco 在 07 案例庫沒有直接 vendor-level 事件、但多個 runtime / supply chain case 都是 Falco rule 第一線該抓的場景：</p>
<table>
  <thead>
      <tr>
          <th>案例</th>
          <th>跟 Falco 的關係（對照啟示）</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/3cx-2023-desktopapp-supply-chain/" data-link-title="7.R7.2.8 3CX 2023：桌面軟體更新鏈攻擊" data-link-desc="合法更新流程被植入後，桌面端供應鏈事件如何傳到企業端點">3CX 2023 Desktop App Supply Chain</a></td>
          <td>Falco rule 偵測 desktop app process spawn 異常子程序 + outbound callback、補簽章驗證之外的 runtime 行為層</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/log4shell-cve-2021-44228-component-chain/" data-link-title="7.R7.2.7 Log4Shell 2021：共用元件風險與修補鏈" data-link-desc="共用元件漏洞如何同步影響多服務，並迫使團隊建立依賴治理 workflow">Log4Shell CVE-2021-44228</a></td>
          <td>Falco rule 偵測 JNDI lookup 觸發的 outbound LDAP / DNS、補 <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> image scan 之外的 runtime detection</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/solarwinds-2020-sunburst/" data-link-title="7.R7.2.1 SolarWinds 2020：更新鏈被濫用" data-link-desc="合法更新流程遭植入後，攻擊者如何長期潛伏與橫向擴散">SolarWinds 2020 Sunburst</a></td>
          <td>合法簽章 binary 但 runtime 行為異常（process tree / outbound C2 / 異常 file access）、Falco rule + Talon containment 是最後一層</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/data-exfiltration/snowflake-2024-credential-abuse/" data-link-title="7.R7.4.2 Snowflake 2024：憑證濫用與資料竊取" data-link-desc="外洩憑證與 MFA 缺口如何在資料平台形成高風險外送事件">Snowflake 2024 Credential Abuse</a></td>
          <td>對照啟示：Falco 主場是 host / container runtime、cloud-native data warehouse 行為偵測要走 SIEM + 平台層 audit、非 Falco 範圍</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/detection-engineering-lifecycle/" data-link-title="7.B5 Detection Engineering Lifecycle" data-link-desc="把偵測規則視為可維護資產，建立從來源、測試、調校到退場的完整生命週期">Detection Engineering Lifecycle (section)</a></td>
          <td>Falco rule + macro + list 走 propose → staging tune → promote → review 的工程 lifecycle、不是 ConfigMap 直改</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/alert-fatigue-and-signal-quality/" data-link-title="7.B10 Alert Fatigue and Signal Quality" data-link-desc="建立告警疲勞治理方法，讓訊號品質、分級一致性與處置效率同步提升">Alert Fatigue and Signal Quality (section)</a></td>
          <td>Falco rule priority 階梯（新規則先 Informational、staging 觀察 48hr、再 promote Warning / Critical）是 alert fatigue 的工程化解法</td>
      </tr>
  </tbody>
</table>
<h2 id="下一步路由">下一步路由</h2>
<ul>
<li>上游：<a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">7.13 偵測覆蓋率與訊號治理</a>、<a href="/blog/backend/07-security-data-protection/blue-team/detection-engineering-lifecycle/" data-link-title="7.B5 Detection Engineering Lifecycle" data-link-desc="把偵測規則視為可維護資產，建立從來源、測試、調校到退場的完整生命週期">Detection Engineering Lifecycle</a>、<a href="/blog/backend/07-security-data-protection/blue-team/detection-to-response-routing/" data-link-title="7.B2 從偵測到回應的路由" data-link-desc="建立資安偵測訊號如何轉成 triage、severity、升級與 incident workflow 的大綱">Detection to Response Routing</a></li>
<li>平行：<a href="/blog/backend/07-security-data-protection/vendors/cilium-tetragon/" data-link-title="Cilium Tetragon" data-link-desc="eBPF-based runtime security &#43; inline enforcement、跟 Cilium CNI 同生態、TracingPolicy CRD、process credentials tracking &#43; KillerAction">Cilium Tetragon</a>、<a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a>、<a href="/blog/backend/07-security-data-protection/vendors/lacework/" data-link-title="Lacework" data-link-desc="CNAPP 走 Polygraph ML behavioral baseline 路線、2024 跟 Fortinet 合併成 FortiCNAPP、自動學 normal、anomaly 自動 alert">Lacework</a>、<a href="/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud</a></li>
<li>下游：<a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/google-security-operations/" data-link-title="Google Security Operations" data-link-desc="Google 雲原生 SIEM &#43; SOAR &#43; Mandiant threat intel 三合一（前 Chronicle）、UDM &#43; YARA-L、fixed-price by data tier、PB-scale 友善">Google Security Operations</a>（Falco alert 進 SIEM 做 cross-source correlation）</li>
<li>跨類：<a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> / <a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">Syft &amp; Grype</a>（image scan + SBOM、跟 runtime detection 構成 supply chain 縱深）、<a href="/blog/backend/07-security-data-protection/vendors/wiz/" data-link-title="Wiz" data-link-desc="Agentless CNAPP、Security Graph &#43; Toxic Combination 風險優先級、API-only scan 不需 workload agent">Wiz</a> / <a href="/blog/backend/07-security-data-protection/vendors/crowdstrike-falcon-cs/" data-link-title="CrowdStrike Falcon Cloud Security" data-link-desc="CrowdStrike 在 Falcon endpoint EDR 之上的 CNAPP、agent 統一跨 endpoint &#43; workload &#43; container、CrowdStrike Intelligence 內建">CrowdStrike Falcon CS</a>（商業 CNAPP runtime 對照）</li>
<li>跨模組：<a href="/blog/backend/08-incident-response/vendors/" data-link-title="事故處理 Vendor 清單" data-link-desc="規劃 on-call、incident response、status page 與 postmortem 工具的服務頁撰寫順序與判準">8 事故處理 vendor 清單</a>（Falco notable alert → IR routing）、<a href="/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">Supply Chain Integrity</a>（artifact trust 跟 runtime detection 的縱深關係）</li>
<li>官方：<a href="https://falco.org/docs/">Falco Documentation</a>、<a href="https://github.com/falcosecurity/rules">Falco Rules Repository</a></li>
</ul>
]]></content:encoded></item><item><title>Cilium Tetragon</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/cilium-tetragon/</link><pubDate>Mon, 18 May 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/cilium-tetragon/</guid><description>&lt;p>Tetragon 是 Cilium 旗下的 &lt;em>eBPF-based runtime security + enforcement&lt;/em> 元件、Isovalent 主導、2024 年起在 CNCF 屬 Incubating 階段。跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/falco/" data-link-title="Falco" data-link-desc="CNCF Graduated runtime cloud-native threat detection、eBPF / kmod driver、Rule YAML &amp;#43; Falcosidekick &amp;#43; Talon、K8s container runtime 偵測為主">Falco&lt;/a> 的核心差異在於 &lt;em>偵測 vs 偵測 + 可 enforce&lt;/em> — Falco 預設 alert-only、Tetragon 設計支援 &lt;em>kernel-level inline enforcement&lt;/em>（直接 kill process、override syscall return value）；對 K8s heavy + 已用 Cilium CNI 的環境、Tetragon 把 &lt;em>network policy + process policy&lt;/em> 收進同一個 eBPF 生態。&lt;/p>
&lt;h2 id="服務定位">服務定位&lt;/h2>
&lt;p>Tetragon 的核心定位是 &lt;em>eBPF 為基底的 runtime observability + enforcement&lt;/em>、TracingPolicy CRD 是 first-class concept — 一份 YAML 同時描述 &lt;em>要觀察什麼 syscall / kprobe / tracepoint&lt;/em> 跟 &lt;em>觀察到後要不要 enforce&lt;/em>。底層 hook 點包括 syscall entry/exit、kprobe（任意 kernel function）、tracepoint（穩定 kernel event）、uprobe（user-space function），enforcement action 包括 &lt;code>Sigkill&lt;/code>（kill process）、&lt;code>Override&lt;/code>（override syscall return value）、&lt;code>NotifyEnforcer&lt;/code>、&lt;code>Post&lt;/code>（送 event 出 plane）。&lt;/p>
&lt;p>跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/falco/" data-link-title="Falco" data-link-desc="CNCF Graduated runtime cloud-native threat detection、eBPF / kmod driver、Rule YAML &amp;#43; Falcosidekick &amp;#43; Talon、K8s container runtime 偵測為主">Falco&lt;/a> 比、Falco rule 用 Sysdig filter syntax、Tetragon 用 K8s CRD + JSON schema、對 K8s native 模型更貼近；Falco 主走 &lt;em>alert&lt;/em>、Tetragon 主走 &lt;em>alert + enforce&lt;/em>；Falco 對非 K8s VM-heavy 場景更 mature。跟 &lt;em>Datadog Cloud Workload Security&lt;/em> 比、Datadog 是 SaaS-only + per-host 計費、Tetragon 是 OSS Apache 2.0 + 自管 + Isovalent Enterprise 付費版可選。跟 &lt;em>Prisma Cloud Defender&lt;/em> 比、Prisma 是 CSPM/CWPP 一體化平台、Tetragon 專注 runtime + 跟 Cilium L3-L7 network policy 同 plane。&lt;/p>
&lt;p>關鍵張力：&lt;em>eBPF inline enforcement 的爆炸半徑&lt;/em> ↔ &lt;em>偵測即時性&lt;/em>。在 kernel-level 直接 kill process 比 userspace agent 更難 bypass、但 TracingPolicy 寫錯（match 太寬）可能誤殺合法 workload、且回退路徑只能改 CRD 再 reload。要看清楚自己 &lt;em>能不能承擔 enforcement 規則錯誤的 blast radius&lt;/em>、再決定哪些 policy 進 enforce、哪些只 observe。&lt;/p></description><content:encoded><![CDATA[<p>Tetragon 是 Cilium 旗下的 <em>eBPF-based runtime security + enforcement</em> 元件、Isovalent 主導、2024 年起在 CNCF 屬 Incubating 階段。跟 <a href="/blog/backend/07-security-data-protection/vendors/falco/" data-link-title="Falco" data-link-desc="CNCF Graduated runtime cloud-native threat detection、eBPF / kmod driver、Rule YAML &#43; Falcosidekick &#43; Talon、K8s container runtime 偵測為主">Falco</a> 的核心差異在於 <em>偵測 vs 偵測 + 可 enforce</em> — Falco 預設 alert-only、Tetragon 設計支援 <em>kernel-level inline enforcement</em>（直接 kill process、override syscall return value）；對 K8s heavy + 已用 Cilium CNI 的環境、Tetragon 把 <em>network policy + process policy</em> 收進同一個 eBPF 生態。</p>
<h2 id="服務定位">服務定位</h2>
<p>Tetragon 的核心定位是 <em>eBPF 為基底的 runtime observability + enforcement</em>、TracingPolicy CRD 是 first-class concept — 一份 YAML 同時描述 <em>要觀察什麼 syscall / kprobe / tracepoint</em> 跟 <em>觀察到後要不要 enforce</em>。底層 hook 點包括 syscall entry/exit、kprobe（任意 kernel function）、tracepoint（穩定 kernel event）、uprobe（user-space function），enforcement action 包括 <code>Sigkill</code>（kill process）、<code>Override</code>（override syscall return value）、<code>NotifyEnforcer</code>、<code>Post</code>（送 event 出 plane）。</p>
<p>跟 <a href="/blog/backend/07-security-data-protection/vendors/falco/" data-link-title="Falco" data-link-desc="CNCF Graduated runtime cloud-native threat detection、eBPF / kmod driver、Rule YAML &#43; Falcosidekick &#43; Talon、K8s container runtime 偵測為主">Falco</a> 比、Falco rule 用 Sysdig filter syntax、Tetragon 用 K8s CRD + JSON schema、對 K8s native 模型更貼近；Falco 主走 <em>alert</em>、Tetragon 主走 <em>alert + enforce</em>；Falco 對非 K8s VM-heavy 場景更 mature。跟 <em>Datadog Cloud Workload Security</em> 比、Datadog 是 SaaS-only + per-host 計費、Tetragon 是 OSS Apache 2.0 + 自管 + Isovalent Enterprise 付費版可選。跟 <em>Prisma Cloud Defender</em> 比、Prisma 是 CSPM/CWPP 一體化平台、Tetragon 專注 runtime + 跟 Cilium L3-L7 network policy 同 plane。</p>
<p>關鍵張力：<em>eBPF inline enforcement 的爆炸半徑</em> ↔ <em>偵測即時性</em>。在 kernel-level 直接 kill process 比 userspace agent 更難 bypass、但 TracingPolicy 寫錯（match 太寬）可能誤殺合法 workload、且回退路徑只能改 CRD 再 reload。要看清楚自己 <em>能不能承擔 enforcement 規則錯誤的 blast radius</em>、再決定哪些 policy 進 enforce、哪些只 observe。</p>
<h2 id="本章目標">本章目標</h2>
<p>讀完本頁、讀者能判斷：</p>
<ol>
<li>Tetragon 在 K8s runtime stack 中承擔哪一段（process visibility / file access / network syscall / enforcement）、哪些要外接（<a href="/blog/backend/07-security-data-protection/vendors/falco/" data-link-title="Falco" data-link-desc="CNCF Graduated runtime cloud-native threat detection、eBPF / kmod driver、Rule YAML &#43; Falcosidekick &#43; Talon、K8s container runtime 偵測為主">Falco</a> for VM-heavy、SIEM for log aggregation）</li>
<li>TracingPolicy 的 ownership 設計（誰寫 CRD、enforcement action 誰簽核、staging vs production rollout）</li>
<li><em>Observe</em> vs <em>Enforce</em> 的階段化決策、什麼樣的 policy 適合 inline kill、什麼樣的應該停在 alert</li>
<li>何時用 Tetragon、何時走 Falco / Datadog CWS / Prisma Defender 的取捨</li>
</ol>
<h2 id="最短判讀路徑">最短判讀路徑</h2>
<p>判斷 Tetragon deployment 是否健康、最少看四件事：</p>
<ul>
<li><strong>TracingPolicy 治理</strong>：CRD 是否走 Git + PR review、enforcement action（Sigkill / Override）是否需額外簽核、staging cluster 是否先跑 24-48hr 觀察 false positive 才 promote production</li>
<li><strong>跟 Cilium 整合深度</strong>：Hubble flow + Tetragon process event 是否同 plane export、Pod identity 是否在 process event 自動 enrich、跟 Cilium NetworkPolicy 是否雙層 enforcement 設計</li>
<li><strong>Enforcement coverage 分層</strong>：哪些 policy 處於 observe-only（log JNDI lookup / setuid abuse / unexpected outbound）、哪些升到 enforce（kill known exploit pattern）、升級條件是什麼</li>
<li><strong>Event export pipeline</strong>：Tetragon event 是否進 SIEM（OpenTelemetry / JSON log → Splunk / Elastic）、是否跟 <a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">Detection Coverage and Signal Governance</a> 邊界一致</li>
</ul>
<p>四件事任一缺失、就是 runtime security 邊界的待補項目。</p>
<h2 id="日常操作與決策形狀">日常操作與決策形狀</h2>
<p><strong>TracingPolicy CRD</strong>：Tetragon 的 first-class concept、一份 YAML 描述 hook 點 + match selector + enforcement action。Hook 點包含 <em>syscall</em>（最穩定但 surface 廣）、<em>kprobe</em>（任意 kernel function、版本相依）、<em>tracepoint</em>（穩定 kernel event、首選）、<em>uprobe</em>（user-space function、低層用）。Match selector 支援 K8s namespace / pod label / container image、process credentials（UID / GID / capabilities）、parent process。Production rule 用 <em>pod label selector + 具體 syscall name + 額外 process credentials 條件</em>、避免 cluster-wide 寬鬆 match 誤殺。</p>
<p><strong>kprobe / tracepoint / syscall hook 的選擇</strong>：tracepoint 是 kernel 公開穩定介面、跨版本不變、首選；kprobe 可 hook 任意 kernel function 但跟 kernel build 緊綁、kernel upgrade 後可能要重寫；raw syscall 適合 audit 整類 syscall（如全部 <code>execve</code>）但量大、需要 in-kernel filter 控成本。</p>
<p><strong>Process credentials tracking</strong>：Tetragon 從 process exec 開始 track UID / GID / capabilities / namespace、偵測 <em>privilege escalation</em>（setuid abuse、capabilities drift、container escape）是 first-class use case。跟 audit log 比、credentials drift 是 <em>狀態變遷</em>、不是單一事件、更能 surface lateral movement 早期訊號（process 開始時 UID 1000、跑到一半變 0 是異常）。</p>
<p><strong>Pod identity correlation</strong>：Tetragon 在 K8s 環境會自動把 process event enrich K8s metadata（namespace / pod name / container image / service account）、不用後處理 join；event schema 跟 Hubble flow 同根、可在 Hubble UI 看 <em>某 Pod 的 network flow + process event</em> 同 timeline。</p>
<p><strong>跟 Cilium NetworkPolicy 雙層 enforcement</strong>：Cilium 控 <em>network ingress / egress / L7 HTTP</em>、Tetragon 控 <em>process / syscall / file access</em>。雙層設計的意義是 — network layer 擋不住的（如 process 內部 lateral movement、container escape syscall）由 process layer 補上；process layer 漏的（如合法 process 突然 outbound 異常 destination）由 network layer 補上。對 supply chain 攻擊特別有效、攻擊鏈通常跨 <em>malicious process spawn + outbound C2</em>。</p>
<p><strong>Event export 跟 SIEM 整合</strong>：Tetragon event 預設走 JSON log 到 stdout、可走 OpenTelemetry exporter 進 collector pipeline、再 fanout 到 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/google-security-operations/" data-link-title="Google Security Operations" data-link-desc="Google 雲原生 SIEM &#43; SOAR &#43; Mandiant threat intel 三合一（前 Chronicle）、UDM &#43; YARA-L、fixed-price by data tier、PB-scale 友善">Google Security Operations</a>。在 SIEM 端做跨來源 correlation（process event + IdP audit + cloud control plane）是 production 標配、不可只看 Tetragon 自家視圖。</p>
<p><strong>Observe → Enforce 階段化</strong>：TracingPolicy 通常 <em>先進 observe-only</em>、跑 1-2 週收 baseline、確認 false positive 可控、再加 enforcement action 進 staging cluster、staging 觀察 24-48hr 才 promote production。對應 <a href="/blog/backend/07-security-data-protection/blue-team/detection-engineering-lifecycle/" data-link-title="7.B5 Detection Engineering Lifecycle" data-link-desc="把偵測規則視為可維護資產，建立從來源、測試、調校到退場的完整生命週期">Detection Engineering Lifecycle</a> 的章節原則 — runtime enforcement 不是 console 直改、是 detection content lifecycle。</p>
<h2 id="核心取捨表">核心取捨表</h2>
<table>
  <thead>
      <tr>
          <th>取捨維度</th>
          <th>Cilium Tetragon</th>
          <th>Falco</th>
          <th>Datadog CWS</th>
          <th>Prisma Cloud Defender</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>偵測技術</td>
          <td>eBPF（kprobe / tracepoint / syscall / uprobe）</td>
          <td>eBPF + kernel module 兩種 driver</td>
          <td>eBPF agent</td>
          <td>eBPF + kernel module</td>
      </tr>
      <tr>
          <td>Enforcement</td>
          <td>內建（Sigkill / Override syscall return）</td>
          <td>預設 alert-only（plugin 可擴 response）</td>
          <td>自動 response（kill / isolate、SaaS 控）</td>
          <td>內建（block process / file / network）</td>
      </tr>
      <tr>
          <td>規則語言</td>
          <td>K8s CRD（TracingPolicy YAML）</td>
          <td>Sysdig filter syntax（YAML rule）</td>
          <td>Datadog Security Rules（JSON / UI）</td>
          <td>Prisma Runtime Rules（UI / JSON）</td>
      </tr>
      <tr>
          <td>計費 / 授權</td>
          <td>OSS Apache 2.0、Isovalent Enterprise 付費</td>
          <td>OSS Apache 2.0、Sysdig Secure 付費</td>
          <td>SaaS per-host</td>
          <td>商業 per-defender</td>
      </tr>
      <tr>
          <td>K8s native</td>
          <td>強 — Pod identity 自動 enrich、跟 Cilium 同源</td>
          <td>中 — K8s metadata 需 audit endpoint</td>
          <td>強 — Datadog Agent 已熟</td>
          <td>強 — Prisma 平台一體</td>
      </tr>
      <tr>
          <td>Network policy</td>
          <td>跟 Cilium L3-L7 雙層（同 plane）</td>
          <td>無 — 純 process / file</td>
          <td>無 — 跟 Datadog Network 分離</td>
          <td>內建 micro-segmentation</td>
      </tr>
      <tr>
          <td>VM / 非 K8s</td>
          <td>弱 — Linux only、K8s-first</td>
          <td>強 — VM / bare metal mature</td>
          <td>中 — 跨環境同 agent</td>
          <td>強 — VM / serverless / container 全覆蓋</td>
      </tr>
      <tr>
          <td>部署模型</td>
          <td>Self-hosted DaemonSet（K8s）</td>
          <td>Self-hosted DaemonSet / VM agent</td>
          <td>SaaS</td>
          <td>商業 self-hosted + SaaS console</td>
      </tr>
      <tr>
          <td>適合場景</td>
          <td>K8s heavy + 已用 Cilium + 要 inline enforce</td>
          <td>VM-heavy / K8s 混合、需要 mature alert ecosystem</td>
          <td>Datadog 已用、要 unified observability</td>
          <td>多雲 CSPM/CWPP 一體化、合規驅動</td>
      </tr>
      <tr>
          <td>退場成本</td>
          <td>中 — TracingPolicy CRD 跨 cluster 可移植</td>
          <td>中 — Falco rule 跟 Sigma 可互轉</td>
          <td>高 — SaaS lock-in</td>
          <td>高 — 商業平台 lock-in</td>
      </tr>
  </tbody>
</table>
<p>選 Tetragon 的核心訴求：<em>K8s heavy + 已用 Cilium CNI + 想要 kernel-level inline enforcement + OSS 免授權成本</em>、且有 SRE / security team 能維護 TracingPolicy CRD lifecycle。VM-heavy 或 K8s 但用其他 CNI 走 Falco 更划算。</p>
<h2 id="進階主題">進階主題</h2>
<p><strong>Inline enforcement 的 blast radius 設計</strong>：<code>Sigkill</code> 直接 kill 觸發 process、<code>Override</code> 改寫 syscall return value（讓 process 以為成功但實際沒做）— 兩者都在 kernel-level、攻擊者很難 bypass、但寫錯規則的 blast radius 是 <em>整個 cluster 內 match 到的 process 全死</em>。實務治理：enforcement action 規則進 GitOps、PR 需 security + SRE 雙簽、staging cluster 跑 namespace-scoped 規則先驗證、production rollout 走 canary namespace 再擴散。</p>
<p><strong>Process credentials drift detection</strong>：track UID / GID / capabilities 變遷、偵測 setuid abuse（process 從 uid 1000 變 0）、capabilities 突然新增（特別是 CAP_SYS_ADMIN / CAP_NET_ADMIN）。對 lateral movement 早期警報是 first-class signal — 攻擊者拿到初始 access 後通常要 escalate privilege、credentials drift 是必經訊號。配對 <a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/solarwinds-2020-sunburst/" data-link-title="7.R7.2.1 SolarWinds 2020：更新鏈被濫用" data-link-desc="合法更新流程遭植入後，攻擊者如何長期潛伏與橫向擴散">SolarWinds 2020 Sunburst</a> 的 lesson：簽章驗證通過但 runtime 行為異常需 <em>runtime credentials + process behavior</em> 雙重 baseline。</p>
<p><strong>跟 Cilium L3-L7 雙層 enforcement</strong>：典型 supply chain 攻擊鏈 — <em>malicious dependency loaded → process spawn → C2 outbound</em>、network layer 擋 outbound（Cilium NetworkPolicy 限制 egress destination）、process layer 擋 process（Tetragon KillerAction kill 異常 spawn）。雙層任一通則攻擊鏈中斷。對應 <a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/3cx-2023-desktopapp-supply-chain/" data-link-title="7.R7.2.8 3CX 2023：桌面軟體更新鏈攻擊" data-link-desc="合法更新流程被植入後，桌面端供應鏈事件如何傳到企業端點">3CX 2023 Desktop App Supply Chain</a> 的 case shape。</p>
<p><strong>跟 SBOM / image signing 整合 baseline</strong>：Tetragon 偵測 runtime 行為偏離 baseline、SBOM / image signing 控 build-time 信任、合在一起是 <em>trusted artifact + verified runtime behavior</em> 雙重保障。runtime 行為 baseline 通常從 SBOM 列出的合法 process / syscall set 出發、deviation 進 alert。</p>
<p><strong>Isovalent Enterprise</strong>：商業版加值在 multi-cluster management、policy 集中下發、support SLA、跟 Isovalent Hubble Enterprise / Cilium Service Mesh Enterprise 整合。OSS 版本核心功能完整、Enterprise 主要解 <em>多 cluster 大規模管理</em> 跟 <em>企業 support</em>、不是 feature gating。</p>
<h2 id="排錯與失敗快速判讀">排錯與失敗快速判讀</h2>
<ul>
<li><strong>TracingPolicy 誤殺合法 workload</strong>：match selector 太寬、cluster-wide 沒加 namespace / pod label 條件 — 改 namespace-scoped + 加 process credentials 額外條件、staging 跑 48hr 再 promote</li>
<li><strong>kprobe rule kernel upgrade 後壞</strong>：hook 的 kernel function 改名或 signature 變 — 改用 tracepoint（穩定介面）、kprobe 進 staging 版本相依測試</li>
<li><strong>Event volume 爆炸 / SIEM ingestion cost 飆</strong>：raw syscall hook 沒做 in-kernel filter、所有 <code>execve</code> 都進 event — 加 in-kernel filter（按 pod label / process name），讓 filter 在 eBPF 端做、不要事後 drop</li>
<li><strong>Inline enforcement 規則錯誤 blast radius 太大</strong>：production 直接上 <code>Sigkill</code> 沒走 staging — enforcement action 規則一律先 observe-only 1 週、staging cluster 24-48hr、canary namespace、才 production</li>
<li><strong>跟 Cilium NetworkPolicy 重疊或衝突</strong>：同一個 attack pattern 被 network + process 同時阻擋、log 重複、誤判 — 設計時雙層各管 <em>互補面</em>（network 管 destination、process 管 process spawn）、不重複管同一面</li>
<li><strong>non-K8s workload 進不來</strong>：Tetragon DaemonSet 只在 K8s 跑、VM / bare metal 不支援 — VM-heavy 環境改走 <a href="/blog/backend/07-security-data-protection/vendors/falco/" data-link-title="Falco" data-link-desc="CNCF Graduated runtime cloud-native threat detection、eBPF / kmod driver、Rule YAML &#43; Falcosidekick &#43; Talon、K8s container runtime 偵測為主">Falco</a>、K8s + VM 混合走雙 stack</li>
<li><strong>Pod identity enrich 不全</strong>：某些 process event 缺 namespace / pod name — 通常是 process 在 pod sandbox 啟動前 spawn、或 short-lived process 太快結束、調 Tetragon 的 process cache lifetime + K8s API server 連線健康</li>
</ul>
<h2 id="何時改走其他服務">何時改走其他服務</h2>
<table>
  <thead>
      <tr>
          <th>需求形狀</th>
          <th>改走</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>VM-heavy / 非 K8s 為主</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/falco/" data-link-title="Falco" data-link-desc="CNCF Graduated runtime cloud-native threat detection、eBPF / kmod driver、Rule YAML &#43; Falcosidekick &#43; Talon、K8s container runtime 偵測為主">Falco</a></td>
      </tr>
      <tr>
          <td>Datadog observability 已用</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a>（Cloud Workload Security）</td>
      </tr>
      <tr>
          <td>多雲 CSPM/CWPP 一體化、合規驅動</td>
          <td>Prisma Cloud Defender（商業）</td>
      </tr>
      <tr>
          <td>SIEM 偵測為主、不需 inline kill</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a></td>
      </tr>
      <tr>
          <td>Endpoint EDR（user laptop / VDI）</td>
          <td>CrowdStrike Falcon / Microsoft Defender for Endpoint</td>
      </tr>
      <tr>
          <td>偵測覆蓋率治理</td>
          <td><a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">7.13 偵測覆蓋率與訊號治理</a></td>
      </tr>
      <tr>
          <td>Incident routing</td>
          <td><a href="/blog/backend/08-incident-response/vendors/" data-link-title="事故處理 Vendor 清單" data-link-desc="規劃 on-call、incident response、status page 與 postmortem 工具的服務頁撰寫順序與判準">8 事故處理 vendor 清單</a></td>
      </tr>
  </tbody>
</table>
<h2 id="不在本頁內的主題">不在本頁內的主題</h2>
<ul>
<li>TracingPolicy CRD 完整欄位 reference 跟 kprobe / tracepoint 寫法 cookbook</li>
<li>Cilium NetworkPolicy 寫法（屬 network 治理、跨章節）</li>
<li>eBPF kernel programming 內部原理跟 verifier 限制</li>
<li>Isovalent Enterprise 跟 Cilium Service Mesh 商業整合細節</li>
<li>Hubble UI 操作（屬 observability 視角、跨章節）</li>
</ul>
<h2 id="案例回寫">案例回寫</h2>
<p>Tetragon 在 07 案例庫沒有直接 vendor-level 事件、但所有 runtime detection + supply chain case 都是 eBPF inline enforcement 的對照：</p>
<table>
  <thead>
      <tr>
          <th>案例</th>
          <th>跟 Tetragon 的關係（對照啟示）</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/log4shell-cve-2021-44228-component-chain/" data-link-title="7.R7.2.7 Log4Shell 2021：共用元件風險與修補鏈" data-link-desc="共用元件漏洞如何同步影響多服務，並迫使團隊建立依賴治理 workflow">Log4Shell CVE-2021-44228</a></td>
          <td>TracingPolicy 可 hook JNDI lookup 相關 syscall、配 <code>Sigkill</code> 直接 kill exploit process、比 userspace WAF 更難 bypass</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/solarwinds-2020-sunburst/" data-link-title="7.R7.2.1 SolarWinds 2020：更新鏈被濫用" data-link-desc="合法更新流程遭植入後，攻擊者如何長期潛伏與橫向擴散">SolarWinds 2020 Sunburst</a></td>
          <td>process credentials drift detection 對 lateral movement 早期警報、簽章驗證通過但 runtime 行為異常需 runtime baseline 補位</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/3cx-2023-desktopapp-supply-chain/" data-link-title="7.R7.2.8 3CX 2023：桌面軟體更新鏈攻擊" data-link-desc="合法更新流程被植入後，桌面端供應鏈事件如何傳到企業端點">3CX 2023 Desktop App Supply Chain</a></td>
          <td>偵測 desktop app 異常 outbound、Tetragon 抓 process + Cilium NetworkPolicy 同層擋 destination、雙層 enforcement 中斷攻擊鏈</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/detection-engineering-lifecycle/" data-link-title="7.B5 Detection Engineering Lifecycle" data-link-desc="把偵測規則視為可維護資產，建立從來源、測試、調校到退場的完整生命週期">Detection Engineering Lifecycle (section)</a></td>
          <td>TracingPolicy CRD 走 GitOps + PR review + staging tune + canary rollout、inline enforcement 不可 console 直改</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/alert-fatigue-and-signal-quality/" data-link-title="7.B10 Alert Fatigue and Signal Quality" data-link-desc="建立告警疲勞治理方法，讓訊號品質、分級一致性與處置效率同步提升">Alert Fatigue and Signal Quality (section)</a></td>
          <td>observe-only 階段先收 baseline、in-kernel filter 控 event volume、enforcement 只升給高 confidence pattern、避免 alert / log 雙重 fatigue</td>
      </tr>
  </tbody>
</table>
<h2 id="下一步路由">下一步路由</h2>
<ul>
<li>上游：<a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">7.13 偵測覆蓋率與訊號治理</a>、<a href="/blog/backend/07-security-data-protection/blue-team/detection-engineering-lifecycle/" data-link-title="7.B5 Detection Engineering Lifecycle" data-link-desc="把偵測規則視為可維護資產，建立從來源、測試、調校到退場的完整生命週期">Detection Engineering Lifecycle</a></li>
<li>平行：<a href="/blog/backend/07-security-data-protection/vendors/falco/" data-link-title="Falco" data-link-desc="CNCF Graduated runtime cloud-native threat detection、eBPF / kmod driver、Rule YAML &#43; Falcosidekick &#43; Talon、K8s container runtime 偵測為主">Falco</a>、<a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a></li>
<li>下游：<a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a>（Tetragon event 進 SIEM 做跨來源 correlation）</li>
<li>跨類：<a href="/blog/backend/07-security-data-protection/vendors/cloudflare-waf/" data-link-title="Cloudflare WAF" data-link-desc="Edge WAF &#43; DDoS &#43; Bot management 整合套件、global anycast 網路、控制面信任邊界跟客戶側補強的對照">Cloudflare WAF</a>（network edge 擋 + process 層補位）、<a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a>（credentials drift 配 secret rotation）</li>
<li>跨模組：<a href="/blog/backend/08-incident-response/vendors/" data-link-title="事故處理 Vendor 清單" data-link-desc="規劃 on-call、incident response、status page 與 postmortem 工具的服務頁撰寫順序與判準">8 事故處理 vendor 清單</a>（runtime alert → IR routing）、<a href="/blog/backend/04-observability/" data-link-title="模組四：可觀測性平台" data-link-desc="整理 log、metric、trace、dashboard 與 alert 的後端操作實務">4 observability</a>（Hubble + Tetragon event pipeline 共用）</li>
<li>官方：<a href="https://tetragon.io/">Tetragon Documentation</a>、<a href="https://cilium.io/">Cilium Project</a></li>
</ul>
]]></content:encoded></item></channel></rss>