Project Goal: Transform Falco alerts into clear, actionable reports.
What was done:
Project Objectives:
In this project, I set up a Kubernetes cluster via helm terraform in Google Cloud Platform (GCP) and installed Falco, an open-source runtime security tool, to monitor the cluster for suspicious activity. To test the setup, I deployed a sample nginx pod and triggered Falco alerts by simulating access to sensitive files.
To make security monitoring more actionable, I configured Falco to send its alerts to Google Cloud Pub/Sub. Then developed a Python application that listens for these Pub/Sub messages in real time. When a Falco alert is received, the application uses an AI agent built with the Google Agent Development Kit (ADK) to automatically generate a human-readable summary of the alert and suggest practical next steps for investigation or remediation.
This integration streamlines the process of understanding and responding to security events in the cloud. By combining Falco, GCP Pub/Sub, and AI, it’s transformed raw security alerts into clear, actionable insights, making cloud-native security more accessible and effective.
<aside> 💡
This is a crude and possibly bad example, but it could easily be improved with runbooks, knowledge bases, better prompts, etc.
</aside>
There is another interesting tool in the same area called the "tetragon", the website describes it as follows:
<aside> 💡
Tetragon is a flexible Kubernetes-aware security observability and runtime enforcement tool that applies policy and filtering directly with eBPF, allowing for reduced observation overhead, tracking of any process, and real-time enforcement of policies.
</aside>
The difference is that falco only monitors, and tetragon monitors and blocks. The picture below shows access control to /etc/shadow, and the code below shows an example of access control to sensitive file /root/.ssh/authorized_keys and actions when this event occurs (Sigkill - kill process immediately).
