[New Integration] Sysdig Falco

[smriti0321]

Sysdig Falco is a powerful open-source threat detection engine for Kubernetes. We will integrate Elastic enhances security monitoring by providing real-time insights into containerised environments. This integration will empower our customers to proactively detect and respond to security threats within their Kubernetes environment using the combined capabilities of Falco and Elastic SIEM.

Useful links- https://falco.org/docs/getting-started/ https://docs.sysdig.com/en/docs/developer-tools/sysdig-rest-api-conventions/ https://docs.sysdig.com/en/docs/developer-tools/working-with-the-data-api/

We would like to ingest following data from Sysdig:

1. Falco Rules- These define the behavior patterns to detect security threats. https://falco.org/docs/rules/
2. Alerts-https://falco.org/docs/outputs/

All changes

• [ ] Change follows the contributing guidelines
• [ ] Supported versions of the monitoring target are documented
• [ ] Supported operating systems are documented (if applicable)
• [ ] Integration or System tests exist
• [ ] Documentation exists, useful guidelines to follow
• [ ] Fields follow ECS and naming conventions
• [ ] At least a manual test with ES / Kibana / Agent has been performed.
• [ ] Required Kibana version set to:

[nick-alayil]

@smriti0321 as discussed listing down the challenges customers might face or questions they might have when considering falco Integration.

1. Overhead of Multiple Agents:

Challenge: Customers may be concerned about having to deploy and manage an additional agent (Elastic Agent with Falco integration) to ingest data from an existing agent (Falco).

Question: Why do we need to deploy an additional agent just to ingest Falco data?

2. Resource Consumption:

Challenge: The installation of the Elastic Agent and the Falco integration introduces a new process on the system, consuming additional CPU and memory resources.

Question: How will the addition of the Elastic Agent and Falco integration impact the performance of our existing systems?

3. Increased Operational Overhead:

Challenge: The need to monitor and maintain both the Elastic Agent and the Falco integration increases operational complexity.

Question: What are the best practices for monitoring and maintaining the health of both the Elastic Agent and the Falco integration to minimize operational overhead?

4. Cloud Cost Considerations:

Challenge: The integration may lead to increased cloud costs due to the additional resources required for running the Elastic Agent and the Falco integration.

Question: How will the additional resource requirements and data ingestion impact our cloud costs?

5. Integration and Ecosystem Alignment:

Challenge: While the Falco integration aligns with the Elastic ecosystem, customers may question the overall value and necessity of this alignment.

Question: How does ingesting Falco data via Elastic agent and falco integration provide additional value compared to using Falco independently and forwarding data with other tool like falcosidekick?