<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Falco on Tarragon</title><link>https://tarrragon.github.io/blog/tags/falco/</link><description>Recent content in Falco on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Mon, 18 May 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/tags/falco/index.xml" rel="self" type="application/rss+xml"/><item><title>Falco</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/falco/</link><pubDate>Mon, 18 May 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/falco/</guid><description>&lt;p>Falco 是 CNCF Graduated 的 runtime cloud-native threat detection engine、原 Sysdig 開源、Apache 2.0 license。它在 host / container 上用 eBPF（或 kernel module / userspace fallback）攔截 syscall、跟 Plugin 拉到的 audit log 串成同一條 event stream、丟給 Rule engine 比對 YAML rule、命中後 alert 到 stdout / Falcosidekick / SIEM。它跟商業 CNAPP runtime 模組（&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &amp;#43; CSPM &amp;#43; CWS &amp;#43; AAP &amp;#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog CWS&lt;/a> / &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/lacework/" data-link-title="Lacework" data-link-desc="CNAPP 走 Polygraph ML behavioral baseline 路線、2024 跟 Fortinet 合併成 FortiCNAPP、自動學 normal、anomaly 自動 alert">Lacework Polygraph&lt;/a> / &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &amp;#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud Defender&lt;/a>）的差異在 &lt;em>OSS rule-based vs SaaS ML-based + 平台廣度 + 自動 response 的工程責任歸屬&lt;/em>、偵測技術本身相近。&lt;/p>
&lt;h2 id="服務定位">服務定位&lt;/h2>
&lt;p>Falco 的核心定位是 &lt;em>K8s container runtime detection engine 的 OSS 基準&lt;/em>、不是 full CNAPP、也不是 inline enforcement。底層 Driver 分三層：&lt;em>modern eBPF&lt;/em>（Linux 5.8+、預設）、&lt;em>legacy kernel module (kmod)&lt;/em>（舊 kernel fallback）、&lt;em>pdig userspace probe&lt;/em>（沒 root 或非 Linux）；Driver 抓 syscall 跟 K8s audit / cloud audit event、送進 Falco engine；engine 用 Sysdig filter syntax 比對 YAML rule、命中後吐 alert。Plugin 系統讓 Falco 看到非 syscall event（K8s audit log、Okta event、GitHub audit、AWS CloudTrail）— 變成 &lt;em>general detection engine&lt;/em>、不只 host runtime。&lt;/p>
&lt;p>跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/cilium-tetragon/" data-link-title="Cilium Tetragon" data-link-desc="eBPF-based runtime security &amp;#43; inline enforcement、跟 Cilium CNI 同生態、TracingPolicy CRD、process credentials tracking &amp;#43; KillerAction">Cilium Tetragon&lt;/a> 比、Falco 走 &lt;em>rule engine + alert-only&lt;/em>、Tetragon 走 &lt;em>eBPF + 可 enforce kill action&lt;/em>；Falco 偵測為主、Tetragon 偵測 + 防護。跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &amp;#43; CSPM &amp;#43; CWS &amp;#43; AAP &amp;#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security&lt;/a>（CWS）比、Datadog 是 SaaS observability 上加 runtime security view、ML-based behavioral baseline 內建、但 vendor lock + per-host 計費；Falco 是 OSS 自管、rule 完全可寫、但 ML baseline / threat intel / cross-source correlation 要自己接 SIEM。跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/lacework/" data-link-title="Lacework" data-link-desc="CNAPP 走 Polygraph ML behavioral baseline 路線、2024 跟 Fortinet 合併成 FortiCNAPP、自動學 normal、anomaly 自動 alert">Lacework&lt;/a> Polygraph 比、Lacework 走 behavior graph 自動建 baseline、Falco 走 rule-explicit、邊界看得到也好 audit。&lt;/p></description><content:encoded><![CDATA[<p>Falco 是 CNCF Graduated 的 runtime cloud-native threat detection engine、原 Sysdig 開源、Apache 2.0 license。它在 host / container 上用 eBPF（或 kernel module / userspace fallback）攔截 syscall、跟 Plugin 拉到的 audit log 串成同一條 event stream、丟給 Rule engine 比對 YAML rule、命中後 alert 到 stdout / Falcosidekick / SIEM。它跟商業 CNAPP runtime 模組（<a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog CWS</a> / <a href="/blog/backend/07-security-data-protection/vendors/lacework/" data-link-title="Lacework" data-link-desc="CNAPP 走 Polygraph ML behavioral baseline 路線、2024 跟 Fortinet 合併成 FortiCNAPP、自動學 normal、anomaly 自動 alert">Lacework Polygraph</a> / <a href="/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud Defender</a>）的差異在 <em>OSS rule-based vs SaaS ML-based + 平台廣度 + 自動 response 的工程責任歸屬</em>、偵測技術本身相近。</p>
<h2 id="服務定位">服務定位</h2>
<p>Falco 的核心定位是 <em>K8s container runtime detection engine 的 OSS 基準</em>、不是 full CNAPP、也不是 inline enforcement。底層 Driver 分三層：<em>modern eBPF</em>（Linux 5.8+、預設）、<em>legacy kernel module (kmod)</em>（舊 kernel fallback）、<em>pdig userspace probe</em>（沒 root 或非 Linux）；Driver 抓 syscall 跟 K8s audit / cloud audit event、送進 Falco engine；engine 用 Sysdig filter syntax 比對 YAML rule、命中後吐 alert。Plugin 系統讓 Falco 看到非 syscall event（K8s audit log、Okta event、GitHub audit、AWS CloudTrail）— 變成 <em>general detection engine</em>、不只 host runtime。</p>
<p>跟 <a href="/blog/backend/07-security-data-protection/vendors/cilium-tetragon/" data-link-title="Cilium Tetragon" data-link-desc="eBPF-based runtime security &#43; inline enforcement、跟 Cilium CNI 同生態、TracingPolicy CRD、process credentials tracking &#43; KillerAction">Cilium Tetragon</a> 比、Falco 走 <em>rule engine + alert-only</em>、Tetragon 走 <em>eBPF + 可 enforce kill action</em>；Falco 偵測為主、Tetragon 偵測 + 防護。跟 <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a>（CWS）比、Datadog 是 SaaS observability 上加 runtime security view、ML-based behavioral baseline 內建、但 vendor lock + per-host 計費；Falco 是 OSS 自管、rule 完全可寫、但 ML baseline / threat intel / cross-source correlation 要自己接 SIEM。跟 <a href="/blog/backend/07-security-data-protection/vendors/lacework/" data-link-title="Lacework" data-link-desc="CNAPP 走 Polygraph ML behavioral baseline 路線、2024 跟 Fortinet 合併成 FortiCNAPP、自動學 normal、anomaly 自動 alert">Lacework</a> Polygraph 比、Lacework 走 behavior graph 自動建 baseline、Falco 走 rule-explicit、邊界看得到也好 audit。</p>
<p>關鍵張力：<em>偵測 vs 防護</em> 跟 <em>rule-explicit vs ML-baseline</em> 是兩條取捨軸。Falco 預設只發 alert、要 inline kill / cordon 要靠 Falco Talon 或外接 SOAR；rule 完全可寫是優點也是負擔 — 自家 anti-pattern 要自己寫成 condition、不像 SaaS CNAPP 預設有 ML baseline。</p>
<h2 id="本章目標">本章目標</h2>
<p>讀完本頁、讀者能判斷：</p>
<ol>
<li>Falco 在 K8s runtime security stack 中承擔哪一段（syscall detection / audit log detection / alert forwarding）、哪些要外接（Talon / SIEM / SOAR）</li>
<li>Driver 選擇（modern eBPF / kmod / pdig）跟 kernel 環境 / 部署模型 的對應、選錯會 silent miss event</li>
<li>Rule 寫作的 ownership 設計（誰寫、誰 review、staging 怎麼觀察 false positive）</li>
<li>何時用 Falco、何時改走 Tetragon（要 enforcement）或商業 CNAPP（要 ML baseline + 跨雲 posture）</li>
</ol>
<h2 id="最短判讀路徑">最短判讀路徑</h2>
<p>判斷 Falco deployment 是否健康、最少看四件事：</p>
<ul>
<li><strong>Driver 是否符合 kernel 環境</strong>：modern eBPF on 5.8+ / kmod on legacy / pdig on serverless 或 non-root container；driver 跟 kernel 不對等於 silent miss，要看 <code>falco --version</code> 跟啟動 log 確認 driver 載入成功</li>
<li><strong>Rule ownership 跟 lifecycle</strong>：Falco 內建 rule（<code>falco_rules.yaml</code> / <code>k8s_audit_rules.yaml</code>）+ 自家 custom rule 是否走 Git PR review、staging tenant 跑幾小時觀察 false positive、再 promote production</li>
<li><strong>Alert sink + downstream routing</strong>：Falco 預設輸出 stdout / file / syslog、production 幾乎都接 Falcosidekick 做 fan-out（Slack / SIEM / S3 / Webhook），跟 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a> 的接點明確</li>
<li><strong>Response 是 alert-only 還是有 enforcement</strong>：純 alert 走 <a href="/blog/backend/08-incident-response/" data-link-title="模組八：事故處理與復盤" data-link-desc="用 IR 領域詞彙建問題節點、以服務級案例庫累積事故脈絡，先建概念與案例庫再進實作交接">8 事故處理</a> routing；要自動 kill pod / cordon node 需 Falco Talon 或 SOAR、且 high-impact action 走 approval gate</li>
</ul>
<p>四件事任一缺失、就是 <a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">Detection Coverage and Signal Governance</a> 邊界的待補項目。</p>
<h2 id="日常操作與決策形狀">日常操作與決策形狀</h2>
<p><strong>Driver layer</strong>：Falco 三種 driver — <em>modern eBPF</em>（CO-RE、Linux 5.8+、預設、不需 kernel header）、<em>legacy kernel module</em>（kmod、舊 kernel 唯一選、要 DKMS build）、<em>pdig</em>（userspace、ptrace-based、非 root container 或 macOS dev 環境用、效能差）。production K8s deployment 幾乎都走 modern eBPF、DaemonSet 部署到每個 node、kernel 版本不夠才走 kmod；不要混用 driver、否則 alert source 難對齊。</p>
<p><strong>Rule YAML 結構</strong>：Falco rule 由 <code>condition</code>（Sysdig filter syntax、類 SQL where）、<code>output</code>（alert template、含 field interpolation）、<code>priority</code>（emergency / alert / critical / error / warning / notice / informational / debug）、<code>tags</code>（mitre / cis / NIST 對應）組成。<code>condition</code> 寫法跟 Linux syscall 緊耦合（<code>evt.type=execve</code>、<code>fd.name=/etc/passwd</code>、<code>proc.name=nc</code>）— rule engineer 要對 syscall 跟 process tree 熟悉。<code>macro</code> 跟 <code>list</code> 讓 rule 可重用（<code>macro: container_started</code> / <code>list: shell_binaries</code>）、production rule 庫應該 macro-first、不是每條 rule 重寫 condition。</p>
<p><strong>Plugin ecosystem</strong>：Plugin 把 Falco 從 host syscall 擴張到任意 event source — <em>k8saudit plugin</em> 接 K8s API server audit log（看 RBAC change / Secret access）、<em>cloudtrail plugin</em> 接 AWS CloudTrail、<em>okta plugin</em> 接 Okta system log、<em>github plugin</em> 接 GitHub audit log。Plugin 讓 Falco 成為 <em>general detection engine</em>、不只 container runtime；但 plugin event source 跟 SIEM 重疊、要清楚 ownership — <em>Falco 做近 host 即時偵測、SIEM 做跨來源歷史 correlation</em>、別兩邊都跑同一條 rule。</p>
<p><strong>Falcosidekick + alert fan-out</strong>：Falco engine 預設輸出 stdout / file / gRPC、production 接 Falcosidekick（DaemonSet 旁邊或單獨 Deployment）做 fan-out — 同一個 alert 同時 forward 到 Slack（SOC chat）、Splunk HEC / Elastic / Loki（SIEM 持久化）、S3（合規 archive）、Webhook（自家 dashboard）、Prometheus（metrics）。Sidekick 是 stateless forwarder、不做 dedup / aggregation、那層要在 SIEM 處理。</p>
<p><strong>Falco Talon + 自動 response</strong>：Talon 是 response orchestrator、訂閱 Falcosidekick 的 webhook output、依照 rule action 自動執行 — kill pod、cordon node、加 NetworkPolicy、call webhook 通知 SOAR。Talon 把 <em>偵測 → 處置</em> 從手動 SOC playbook 變 declarative YAML、但 high-impact action（kill prod pod、cordon node）必須走 approval gate 或限制在 staging namespace、不能黑箱 fire-and-forget。對應 <a href="/blog/backend/07-security-data-protection/blue-team/detection-to-response-routing/" data-link-title="7.B2 從偵測到回應的路由" data-link-desc="建立資安偵測訊號如何轉成 triage、severity、升級與 incident workflow 的大綱">Detection to Response Routing</a> 的章節原則。</p>
<p><strong>Helm chart 部署 + GitOps</strong>：Falco 官方 Helm chart 把 DaemonSet（Falco engine + driver）、Deployment（Falcosidekick）、ConfigMap（rule YAML）、ServiceAccount + RBAC 包成一組。生產 deployment 走 Argo CD / Flux 同步 Helm value、rule YAML 進 Git PR review、merge 觸發 staging tenant deploy、人工觀察 24-48hr false positive、再 promote production。Rule 直接改 ConfigMap、不走版控等於 detection drift、後續審計接不上。</p>
<p><strong>跟 SIEM / 8 事故處理整合</strong>：Falco alert 經 Falcosidekick 進 <a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a> 後、走跟其他 detection signal 同一條 correlation + triage 管線、不獨立 channel。Notable / high-priority alert 進 <a href="/blog/backend/08-incident-response/" data-link-title="模組八：事故處理與復盤" data-link-desc="用 IR 領域詞彙建問題節點、以服務級案例庫累積事故脈絡，先建概念與案例庫再進實作交接">8 事故處理</a> 的 IR queue、走 incident commander handoff。</p>
<h2 id="核心取捨表">核心取捨表</h2>
<table>
  <thead>
      <tr>
          <th>取捨維度</th>
          <th>Falco</th>
          <th>Cilium Tetragon</th>
          <th>Datadog CWS</th>
          <th>Lacework Polygraph</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>License</td>
          <td>Apache 2.0 OSS</td>
          <td>Apache 2.0 OSS</td>
          <td>Commercial SaaS</td>
          <td>Commercial SaaS</td>
      </tr>
      <tr>
          <td>Detection 模型</td>
          <td>Rule-explicit（YAML + Sysdig filter）</td>
          <td>Rule-explicit（YAML + TracingPolicy）</td>
          <td>ML-based behavioral baseline + rule</td>
          <td>Behavior graph 自動 baseline</td>
      </tr>
      <tr>
          <td>Enforcement</td>
          <td>Alert-only（Talon 補 response）</td>
          <td>Inline enforce（kill / signal、可阻擋）</td>
          <td>Inline enforce（Datadog Agent）</td>
          <td>Alert + workload baseline drift</td>
      </tr>
      <tr>
          <td>Driver</td>
          <td>modern eBPF / kmod / pdig</td>
          <td>eBPF only（cilium ecosystem）</td>
          <td>eBPF（Datadog Agent）</td>
          <td>eBPF（Lacework Agent）</td>
      </tr>
      <tr>
          <td>涵蓋面</td>
          <td>Container + host + plugin (audit log)</td>
          <td>Container + host（cilium 整合 network）</td>
          <td>Container + host + cloud + app</td>
          <td>Cloud + container + workload + IaC posture</td>
      </tr>
      <tr>
          <td>Cross-source</td>
          <td>靠 Plugin + Falcosidekick → SIEM</td>
          <td>靠 Cilium Hubble + 外接 SIEM</td>
          <td>內建（Datadog observability plane）</td>
          <td>內建（Polygraph graph）</td>
      </tr>
      <tr>
          <td>學習曲線</td>
          <td>中 — Sysdig filter + macro</td>
          <td>中 — TracingPolicy + cilium 知識</td>
          <td>緩 — 沿用 Datadog UI / Workload Security</td>
          <td>緩 — SaaS console</td>
      </tr>
      <tr>
          <td>適合場景</td>
          <td>OSS-first、SIEM 已部署、rule 想完全可寫</td>
          <td>要 inline enforcement、cilium CNI 已用</td>
          <td>Datadog 已用、cloud-native、預算允許</td>
          <td>CNAPP + posture 一站、跨雲</td>
      </tr>
      <tr>
          <td>退場成本</td>
          <td>低 — rule 是 YAML、可移植 Sigma</td>
          <td>中 — TracingPolicy 跟 cilium 綁定</td>
          <td>高 — Workload Security rule 跟 platform 綁</td>
          <td>高 — Polygraph data 跟 platform 綁</td>
      </tr>
  </tbody>
</table>
<p>選 Falco 的核心訴求：<em>K8s container runtime detection、OSS + rule-customizable、SIEM 已部署、SOC 有 detection engineer 寫得了 Sysdig filter rule</em>。要 inline enforcement 直接走 Tetragon；要 ML baseline + 跨雲 posture + 不想自管 rule lifecycle 直接走 Datadog CWS / Lacework / <a href="/blog/backend/07-security-data-protection/vendors/wiz/" data-link-title="Wiz" data-link-desc="Agentless CNAPP、Security Graph &#43; Toxic Combination 風險優先級、API-only scan 不需 workload agent">Wiz</a> + <a href="/blog/backend/07-security-data-protection/vendors/crowdstrike-falcon-cs/" data-link-title="CrowdStrike Falcon Cloud Security" data-link-desc="CrowdStrike 在 Falcon endpoint EDR 之上的 CNAPP、agent 統一跨 endpoint &#43; workload &#43; container、CrowdStrike Intelligence 內建">CrowdStrike Falcon CS</a>。</p>
<h2 id="進階主題">進階主題</h2>
<p><strong>Custom rule 設計</strong>：production rule 庫應該 <em>macro-first</em>、把可重用條件抽成 macro（<code>container_started</code> / <code>sensitive_mount</code> / <code>shell_in_container</code>）跟 list（<code>shell_binaries</code> / <code>sensitive_files</code>）；rule 引用 macro 而非重寫 condition、修改 macro 等於同時更新所有引用 rule。Rule 反例是 <em>single-event noisy rule</em>（看到一個 shell exec 就 alert）— production rule 應該 <em>context-bounded</em>（shell exec <strong>in container</strong> + parent <strong>不在 allowlist</strong> + image <strong>非 trusted registry</strong>）+ priority 階梯（生產 Notice、staging Warning、新規則先 Informational 觀察）。</p>
<p><strong>eBPF driver vs kmod 取捨</strong>：modern eBPF 用 CO-RE（Compile Once, Run Everywhere）、不需 per-kernel build、運行時動態 attach；kmod 需要 DKMS 在 host build、跟 kernel version 強耦合、升級 kernel 要重 build。所有現代 Linux distro 預設都該走 modern eBPF；只有 RHEL 7 / 老 Ubuntu LTS（kernel &lt; 5.8）才有理由用 kmod。pdig 給沒 root / 沒 eBPF 的環境（某些 serverless container、macOS dev）、效能差不適合 production。</p>
<p><strong>Falco Talon 自動 response 設計</strong>：Talon 把「Falco alert → 自動處置」變 declarative — rule action 可以是 <em>kubernetes:terminate-pod</em>、<em>kubernetes:label-pod</em>、<em>kubernetes:cordon-node</em>、<em>aws:disable-iam-user</em>、<em>calico:add-networkpolicy</em>。production 用 Talon 的關鍵原則：<em>high-impact action 走 approval gate</em>（PagerDuty incident → human approve → execute）、<em>containment-first not deletion</em>（先 cordon + label、再人工決定是否 terminate）、<em>blast radius 限制</em>（只能影響特定 namespace / label selector）、<em>audit trail</em>（每個 action 進 Splunk + IR queue）。</p>
<p><strong>Plugin ecosystem 邊界</strong>：Plugin 把 Falco 變 general detection engine、但要明確 plugin event 跟 SIEM 重疊處的 ownership。建議：<em>host syscall + container runtime → Falco rule</em>（即時 + low latency）、<em>K8s audit + cloud audit + IdP audit → 同時跑 Falco plugin（近即時 alert） + SIEM（歷史 correlation）</em>、<em>純跨來源 correlation（多 user 多 source 多時段）→ SIEM 為主</em>。別讓 Falco plugin 跟 SIEM rule 跑重複條件、會 double-alert 也 double-cost。</p>
<p><strong>Sigstore + SBOM 整合的位置</strong>：Falco 不做 image scan / SBOM 驗證（那是 <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> / <a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">Syft &amp; Grype</a> 的位置）、但 runtime detection 是 <a href="/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">Supply Chain Integrity</a> 縱深防禦的最後一層 — image scan 過、簽章驗證過、但 runtime 出現異常 syscall（log4shell 觸發 outbound LDAP、SolarWinds 合法簽章但行為異常）、Falco rule 是最後抓的點。</p>
<h2 id="排錯與失敗快速判讀">排錯與失敗快速判讀</h2>
<ul>
<li><strong>Falco 啟動成功但完全沒 event</strong>：driver 沒載入（modern eBPF 在舊 kernel fallback 失敗）— 看啟動 log 確認 <code>driver loaded successfully</code>、<code>falco --version</code> 對 driver 版本、舊 kernel 改 kmod</li>
<li><strong>大量 false positive 淹沒 SOC</strong>：rule 寫太寬（<code>shell in container</code> 但合法 debug shell 也 trigger）— staging tenant 跑 48hr 統計 FP、加 exception list 或改 macro 排除已知合法 source、新 rule 先 Informational priority 觀察</li>
<li><strong>Alert 沒進 SIEM</strong>：Falcosidekick 沒接、或 output channel 設錯 — 確認 Falcosidekick Deployment up、output webhook 對、SIEM HEC token 沒過期；Falco engine 本身的 stdout / file output 仍會留、不會 silent miss</li>
<li><strong>Rule update 後 detection drift</strong>：直接改 ConfigMap、沒走 Git PR + staging 觀察 — 強制 GitOps（Argo CD / Flux）、ConfigMap immutable、rule change 必須走 PR review + staging promote</li>
<li><strong>Plugin event lag / 漏抓</strong>：plugin polling cloud audit log（CloudTrail / Okta）的 latency 跟 API rate limit、不是即時 — 純即時偵測別靠 plugin、改靠 SIEM streaming ingest；plugin 適合補 syscall 看不到的層</li>
<li><strong>Talon 自動 response 誤殺 prod</strong>：rule action 直接 kill pod、沒 approval gate — 高影響 action 拆成兩步（先 label + cordon、再人工 approve terminate）、blast radius 限 namespace / label selector、audit trail 全進 SIEM</li>
<li><strong>eBPF driver 跟 kernel 升級不對齊</strong>：node kernel 升級後 modern eBPF 仍 CO-RE 自動適配、但 Falco 版本太舊不支援新 syscall — Falco engine 跟著定期升級、別 pin 在兩年前的 version</li>
</ul>
<h2 id="何時改走其他服務">何時改走其他服務</h2>
<table>
  <thead>
      <tr>
          <th>需求形狀</th>
          <th>改走</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>要 inline kill / enforcement</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/cilium-tetragon/" data-link-title="Cilium Tetragon" data-link-desc="eBPF-based runtime security &#43; inline enforcement、跟 Cilium CNI 同生態、TracingPolicy CRD、process credentials tracking &#43; KillerAction">Cilium Tetragon</a></td>
      </tr>
      <tr>
          <td>ML behavioral baseline + 跨雲</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a>、<a href="/blog/backend/07-security-data-protection/vendors/lacework/" data-link-title="Lacework" data-link-desc="CNAPP 走 Polygraph ML behavioral baseline 路線、2024 跟 Fortinet 合併成 FortiCNAPP、自動學 normal、anomaly 自動 alert">Lacework</a>、<a href="/blog/backend/07-security-data-protection/vendors/wiz/" data-link-title="Wiz" data-link-desc="Agentless CNAPP、Security Graph &#43; Toxic Combination 風險優先級、API-only scan 不需 workload agent">Wiz</a></td>
      </tr>
      <tr>
          <td>Full CNAPP + posture + runtime</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud</a>、<a href="/blog/backend/07-security-data-protection/vendors/crowdstrike-falcon-cs/" data-link-title="CrowdStrike Falcon Cloud Security" data-link-desc="CrowdStrike 在 Falcon endpoint EDR 之上的 CNAPP、agent 統一跨 endpoint &#43; workload &#43; container、CrowdStrike Intelligence 內建">CrowdStrike Falcon CS</a></td>
      </tr>
      <tr>
          <td>Image scan / SBOM / SCA</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a>、<a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">Syft &amp; Grype</a>、<a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a></td>
      </tr>
      <tr>
          <td>Cross-source SIEM correlation</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a>、<a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a>、<a href="/blog/backend/07-security-data-protection/vendors/google-security-operations/" data-link-title="Google Security Operations" data-link-desc="Google 雲原生 SIEM &#43; SOAR &#43; Mandiant threat intel 三合一（前 Chronicle）、UDM &#43; YARA-L、fixed-price by data tier、PB-scale 友善">Google Security Operations</a></td>
      </tr>
      <tr>
          <td>Incident routing</td>
          <td><a href="/blog/backend/08-incident-response/vendors/" data-link-title="事故處理 Vendor 清單" data-link-desc="規劃 on-call、incident response、status page 與 postmortem 工具的服務頁撰寫順序與判準">8 事故處理 vendor 清單</a></td>
      </tr>
  </tbody>
</table>
<h2 id="不在本頁內的主題">不在本頁內的主題</h2>
<ul>
<li>Sysdig filter syntax 完整 reference、syscall field 細目</li>
<li>Falco source code 內部架構（libsinsp / libscap）</li>
<li>Sysdig Secure（Falco 的商業版、Sysdig Inc. 維護、含 ML baseline + cloud posture）的功能對照細節</li>
<li>Container image scan / SBOM 驗證（屬 <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> / <a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">Syft &amp; Grype</a> 的位置）</li>
<li>Kubernetes RBAC / Pod Security Standards / NetworkPolicy 的設計（屬 K8s 平台層、不在 runtime detection 範圍）</li>
</ul>
<h2 id="案例回寫">案例回寫</h2>
<p>Falco 在 07 案例庫沒有直接 vendor-level 事件、但多個 runtime / supply chain case 都是 Falco rule 第一線該抓的場景：</p>
<table>
  <thead>
      <tr>
          <th>案例</th>
          <th>跟 Falco 的關係（對照啟示）</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/3cx-2023-desktopapp-supply-chain/" data-link-title="7.R7.2.8 3CX 2023：桌面軟體更新鏈攻擊" data-link-desc="合法更新流程被植入後，桌面端供應鏈事件如何傳到企業端點">3CX 2023 Desktop App Supply Chain</a></td>
          <td>Falco rule 偵測 desktop app process spawn 異常子程序 + outbound callback、補簽章驗證之外的 runtime 行為層</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/log4shell-cve-2021-44228-component-chain/" data-link-title="7.R7.2.7 Log4Shell 2021：共用元件風險與修補鏈" data-link-desc="共用元件漏洞如何同步影響多服務，並迫使團隊建立依賴治理 workflow">Log4Shell CVE-2021-44228</a></td>
          <td>Falco rule 偵測 JNDI lookup 觸發的 outbound LDAP / DNS、補 <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> image scan 之外的 runtime detection</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/solarwinds-2020-sunburst/" data-link-title="7.R7.2.1 SolarWinds 2020：更新鏈被濫用" data-link-desc="合法更新流程遭植入後，攻擊者如何長期潛伏與橫向擴散">SolarWinds 2020 Sunburst</a></td>
          <td>合法簽章 binary 但 runtime 行為異常（process tree / outbound C2 / 異常 file access）、Falco rule + Talon containment 是最後一層</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/data-exfiltration/snowflake-2024-credential-abuse/" data-link-title="7.R7.4.2 Snowflake 2024：憑證濫用與資料竊取" data-link-desc="外洩憑證與 MFA 缺口如何在資料平台形成高風險外送事件">Snowflake 2024 Credential Abuse</a></td>
          <td>對照啟示：Falco 主場是 host / container runtime、cloud-native data warehouse 行為偵測要走 SIEM + 平台層 audit、非 Falco 範圍</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/detection-engineering-lifecycle/" data-link-title="7.B5 Detection Engineering Lifecycle" data-link-desc="把偵測規則視為可維護資產，建立從來源、測試、調校到退場的完整生命週期">Detection Engineering Lifecycle (section)</a></td>
          <td>Falco rule + macro + list 走 propose → staging tune → promote → review 的工程 lifecycle、不是 ConfigMap 直改</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/alert-fatigue-and-signal-quality/" data-link-title="7.B10 Alert Fatigue and Signal Quality" data-link-desc="建立告警疲勞治理方法，讓訊號品質、分級一致性與處置效率同步提升">Alert Fatigue and Signal Quality (section)</a></td>
          <td>Falco rule priority 階梯（新規則先 Informational、staging 觀察 48hr、再 promote Warning / Critical）是 alert fatigue 的工程化解法</td>
      </tr>
  </tbody>
</table>
<h2 id="下一步路由">下一步路由</h2>
<ul>
<li>上游：<a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">7.13 偵測覆蓋率與訊號治理</a>、<a href="/blog/backend/07-security-data-protection/blue-team/detection-engineering-lifecycle/" data-link-title="7.B5 Detection Engineering Lifecycle" data-link-desc="把偵測規則視為可維護資產，建立從來源、測試、調校到退場的完整生命週期">Detection Engineering Lifecycle</a>、<a href="/blog/backend/07-security-data-protection/blue-team/detection-to-response-routing/" data-link-title="7.B2 從偵測到回應的路由" data-link-desc="建立資安偵測訊號如何轉成 triage、severity、升級與 incident workflow 的大綱">Detection to Response Routing</a></li>
<li>平行：<a href="/blog/backend/07-security-data-protection/vendors/cilium-tetragon/" data-link-title="Cilium Tetragon" data-link-desc="eBPF-based runtime security &#43; inline enforcement、跟 Cilium CNI 同生態、TracingPolicy CRD、process credentials tracking &#43; KillerAction">Cilium Tetragon</a>、<a href="/blog/backend/07-security-data-protection/vendors/datadog-security/" data-link-title="Datadog Security" data-link-desc="Datadog observability platform 上的 security suite：Cloud SIEM &#43; CSPM &#43; CWS &#43; AAP &#43; Sensitive Data Scanner、跟 observability 同 plane">Datadog Security</a>、<a href="/blog/backend/07-security-data-protection/vendors/lacework/" data-link-title="Lacework" data-link-desc="CNAPP 走 Polygraph ML behavioral baseline 路線、2024 跟 Fortinet 合併成 FortiCNAPP、自動學 normal、anomaly 自動 alert">Lacework</a>、<a href="/blog/backend/07-security-data-protection/vendors/prisma-cloud/" data-link-title="Prisma Cloud" data-link-desc="Palo Alto CNAPP、agent (Defender) &#43; agentless 雙軌、五模組（Compute / CSPM / Code / Data / CIEM）、Compliance template 強">Prisma Cloud</a></li>
<li>下游：<a href="/blog/backend/07-security-data-protection/vendors/splunk/" data-link-title="Splunk" data-link-desc="業界 SIEM 標準、forwarder &#43; indexer &#43; search head 架構、SPL 為核心查詢語言、ingestion-based 計費跟偵測覆蓋率的 trade-off">Splunk</a> / <a href="/blog/backend/07-security-data-protection/vendors/elastic-security/" data-link-title="Elastic Security" data-link-desc="Elastic Stack 上的 SIEM &#43; EDR &#43; Cloud Security 套件、OSS 起源、KQL/EQL/Lucene/ES|QL 多查詢語言、resource-based pricing">Elastic Security</a> / <a href="/blog/backend/07-security-data-protection/vendors/google-security-operations/" data-link-title="Google Security Operations" data-link-desc="Google 雲原生 SIEM &#43; SOAR &#43; Mandiant threat intel 三合一（前 Chronicle）、UDM &#43; YARA-L、fixed-price by data tier、PB-scale 友善">Google Security Operations</a>（Falco alert 進 SIEM 做 cross-source correlation）</li>
<li>跨類：<a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> / <a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">Syft &amp; Grype</a>（image scan + SBOM、跟 runtime detection 構成 supply chain 縱深）、<a href="/blog/backend/07-security-data-protection/vendors/wiz/" data-link-title="Wiz" data-link-desc="Agentless CNAPP、Security Graph &#43; Toxic Combination 風險優先級、API-only scan 不需 workload agent">Wiz</a> / <a href="/blog/backend/07-security-data-protection/vendors/crowdstrike-falcon-cs/" data-link-title="CrowdStrike Falcon Cloud Security" data-link-desc="CrowdStrike 在 Falcon endpoint EDR 之上的 CNAPP、agent 統一跨 endpoint &#43; workload &#43; container、CrowdStrike Intelligence 內建">CrowdStrike Falcon CS</a>（商業 CNAPP runtime 對照）</li>
<li>跨模組：<a href="/blog/backend/08-incident-response/vendors/" data-link-title="事故處理 Vendor 清單" data-link-desc="規劃 on-call、incident response、status page 與 postmortem 工具的服務頁撰寫順序與判準">8 事故處理 vendor 清單</a>（Falco notable alert → IR routing）、<a href="/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">Supply Chain Integrity</a>（artifact trust 跟 runtime detection 的縱深關係）</li>
<li>官方：<a href="https://falco.org/docs/">Falco Documentation</a>、<a href="https://github.com/falcosecurity/rules">Falco Rules Repository</a></li>
</ul>
]]></content:encoded></item></channel></rss>