Skill

performing-cloud-native-forensics-with-falco

From asi

Deploys and manages Falco YAML rules via gRPC API for runtime threat detection in Kubernetes and containers, monitoring syscalls for shell spawns, file tampering, and privilege escalations. Parses alerts for forensics.

Kubernetes

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When conducting security assessments that involve performing cloud native forensics with falco

SKILL.md

Similar Skills

performing-cloud-native-forensics-with-falco

5.9k

Deploys and manages Falco YAML rules for runtime threat detection in Kubernetes and containers via syscalls, parses alerts with gRPC API and Python for forensics and incident response.

3 files

cybersecurity-skills

performing-cloud-native-forensics-with-falco

Detects runtime threats in containers and Kubernetes using Falco YAML rules, monitoring syscalls for shell spawns, file tampering, network anomalies, and privilege escalations. Manages rules via gRPC API and parses alerts.

3 files

cybersecurity-skills-zh

detecting-container-escape-with-falco-rules

Detects container escape attempts in real-time using Falco rules monitoring syscalls, host filesystem mounts, file access, and privilege escalations in Kubernetes or Docker.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Performing Cloud Native Forensics with Falco

When to Use

When conducting security assessments that involve performing cloud native forensics with falco

When following incident response procedures for related security events

When performing scheduled security testing or auditing activities

When validating security controls through hands-on testing

Prerequisites

Familiarity with cloud security concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Deploy and manage Falco rules for runtime security detection in containerized environments. Parse Falco alerts for incident response.

# Custom Falco rule for detecting shell in container - rule: Shell Spawned in Container desc: Detect shell process started in a container condition: > spawned_process and container and proc.name in (bash, sh, zsh, dash, csh) and not proc.pname in (docker-entrypo, supervisord) output: > Shell spawned in container (user=%user.name command=%proc.cmdline container=%container.name image=%container.image.repository) priority: WARNING tags: [container, shell, mitre_execution]

Key detection rules:

Shell spawn in non-interactive containers

Sensitive file access (/etc/shadow, /etc/passwd)

Outbound connections from unexpected containers

Privilege escalation via setuid/setgid

Container escape via mount or ptrace

Examples

# Run Falco with custom rules falco -r /etc/falco/custom_rules.yaml -o json_output=true # Parse JSON alerts cat /var/log/falco/alerts.json | python3 -c "import json,sys; [print(json.loads(l)['output']) for l in sys.stdin]"