performing-cloud-native-forensics-with-falco

name: performing-cloud-native-forensics-with-falco description: 'Uses Falco YAML rules for runtime threat detection in containers and Kubernetes, monitoring syscalls for shell spawns, file tampering, network anomalies, and privilege escalation. Manages Falco rules via the Falco gRPC API and parses Falco alert output. Use when building container runtime security or investigating k8s cluster compromises.

' domain: cybersecurity tags:

• performing
• cloud
• native
• forensics subdomain: cloud-security version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
• PR.IR-01
• ID.AM-08
• GV.SC-06
• DE.CM-01

Performing Cloud Native Forensics with Falco

When to Use

• When conducting security assessments that involve performing cloud native forensics with falco
• When following incident response procedures for related security events
• When performing scheduled security testing or auditing activities
• When validating security controls through hands-on testing

Prerequisites

• Familiarity with cloud security concepts and tools
• Access to a test or lab environment for safe execution
• Python 3.8+ with required dependencies installed
• Appropriate authorization for any testing activities

Instructions

Deploy and manage Falco rules for runtime security detection in containerized environments. Parse Falco alerts for incident response.

# Custom Falco rule for detecting shell in container
- rule: Shell Spawned in Container
  desc: Detect shell process started in a container
  condition: >
    spawned_process and container
    and proc.name in (bash, sh, zsh, dash, csh)
    and not proc.pname in (docker-entrypo, supervisord)
  output: >
    Shell spawned in container
    (user=%user.name command=%proc.cmdline container=%container.name
     image=%container.image.repository)
  priority: WARNING
  tags: [container, shell, mitre_execution]

Key detection rules:

1. Shell spawn in non-interactive containers
2. Sensitive file access (/etc/shadow, /etc/passwd)
3. Outbound connections from unexpected containers
4. Privilege escalation via setuid/setgid
5. Container escape via mount or ptrace

Examples

# Run Falco with custom rules
falco -r /etc/falco/custom_rules.yaml -o json_output=true
# Parse JSON alerts
cat /var/log/falco/alerts.json | python3 -c "import json,sys; [print(json.loads(l)['output']) for l in sys.stdin]"

When NOT to Use

• You don't have explicit written authorization to test
• Task is about defense/detection, not offense (use detection skills)
• You need to implement security controls (use implementing-* skills)
• Task requires compliance auditing (use auditing-* skills)
• You're investigating an incident (use incident response skills)
• Target is out of scope for your engagement
• Task is about vulnerability scanning only (use scanning tools)

Red Flags

• Performing actions without explicit written authorization from the asset owner
• Testing against production systems without a defined scope and rules of engagement
• Failing to use write-blockers when acquiring forensic evidence
• Not verifying hash integrity before and after imaging
• Modifying original evidence during analysis

Verification

• All steps executed successfully against a test environment before production use
• Output documented with screenshots or logs demonstrating expected behavior
• Hash values computed and verified match between source and image
• Chain of custody log complete with timestamps and examiner names
• Analysis tools and versions documented for reproducibility

Overview

Section content — see SKILL.md body for full details.

Process

1. Analyze the task requirements
2. Apply domain expertise
3. Verify output quality