Falco Community Call - January 17, 2024 Author: Melissa Kilby (@incertum) Proposals docs(proposals): introduce on host anomaly detection framework Falco proposal PR. wip: new(userspace/libsinsp): MVP CountMinSketch Powered Probabilistic Counting and Filtering libs draft PR. New plugin anomalydetection New family of plugin -> creates a new class of libsinsp state, in addition to new filterchecks (Field Extraction). No event source plugin, instead on top of existing event sources. Also leverages existing libsinsp filter fields to create composite fields.

Kudos to the incredible teamwork "extraordinaire" of Jason Dellaluce, Federico Di Pierro, Andrea Terzolo, and Melissa Kilby for making this feature a reality. We would also like to express our gratitude to Stanley Chan for providing invaluable feedback to ensure a clear and user-friendly experience. Summary The release of Falco 0.35.0 marks a significant milestone by introducing a groundbreaking feature: the ability to choose which syscalls to collect. This enhancement empowers users with granular control over the system calls that Falco actively monitors and traces. By doing so, users can optimize their system's performance by collecting only the necessary syscalls, consequently reducing the CPU load. Why stop at just one groundbreaking feature? Previously, Falco had limited access to the wide range of syscalls supported by its underlying libraries and kernel drivers. However, with the latest updates, Falco now has the capability to trace every syscall that is supported by Falco's libs. This expanded access to syscalls marks yet another significant milestone in terms of threat detection. [Vicente maybe the Action Items below could be formatted differently in the release note as box or something like that] Action Items and Recommendations for Adopters

Last Updated: Apr 25, 2023 Recommendation is to use the old eBPF probe for testing as modern_bpf is not yet released as production-ready. Running Falco: sudo -E FALCO_BPF_PROBE="$(uname -r).o" /usr/bin/falco -c falco.yaml -r falco_rules.yaml -o "log_level=debug" # adding -o "log_level=debug" will print all syscalls added in rules and via base_syscalls option Relevant Falco Tickets:

Issue: https://github.com/falcosecurity/falco/issues/2435 Meeting Notes from Apr 3, 2023 Have sci.yaml in Falco repo Explore how to derive scaling factors for Falco based on CPU and memory usages Explore how to help tag env sustainability to set up realistic benchmarking environments Start work in June/July 2023 As result give end users guidance on implications of Falco settings or rules and different compute environments Nort star: Derive default Falco settings that work for most end users

Links: Falco issue: Falco native resource utilization metrics logs support Falco staging PR PRs Done scap refactor to expose some constants sinsp resource utilization metrics, such as CPU and memory usage libbpf stats, such as avg time spent in each bpf program