Chapter 3. Understanding Falcoâs Architecture
Welcome to Part II of the book! In Part I, you learned what Falco is and what it does. You also took a high-level look at its architecture, installed it on your machine, and took it for a spin. Now itâs time to step up your game!
In this part of the book (Chapters 3 through 8), weâll get into the inner workings of Falco. You will learn about its architecture in more detail, including its main components and how data flows across them. Weâll show you how Falco interfaces with the kernel of the operating system and with the cloud logs to collect data, and how this data is enriched with context and metadata. Chapter 6 will then introduce you to the important topic of fields and filters, while Chapter 7 will get you more familiar with Falco rules. Weâll conclude Part II by talking about the outputs framework, a key piece of Falco.
Do you really need to learn about the internals of Falco in order to operate it? The answer, as it is so often in life, is âit depends.â If your goal is simply to deploy Falco in its default configuration and show your boss that itâs up and working, then youâre probably fine skipping this part of the book. However, doing so will make some things hard, and others impossible. For example, in Parts III and IV weâll cover:
Interpreting Falcoâs output
Determining if an alert could be a false positive
Fine-tuning Falco to privilege accuracy over noise
Precisely adapting Falco to your environment ...
Get Practical Cloud Native Security with Falco now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
