Skip to content
Pricing RU Sign In
RU

Falco — alert on a runtime-security event spike

Falco logs suspicious actions (write to /etc, shell in container, unexpected network connect) — but logs sit locally and nobody looks. An in-container attack develops silently.

Stack: falco · journalctl · cron Tags: falco, security, runtime

Recipe

bash 
#!/usr/bin/env bash
# /etc/cron.d/falco-spike
# */5 * * * * root /opt/falco-spike.sh

WINDOW=${WINDOW:-5min}
THRESH=${THRESH:-5}                   # critical events / 5 min

# Falco emits to journald by default. Filter by Priority (warning+ = 0..4)
COUNT=$(journalctl -u falco --since "$WINDOW ago" -p warning --no-pager 2>/dev/null \
  | grep -c 'Priority: ')

if [ "${COUNT:-0}" -gt "$THRESH" ]; then
  SAMPLE=$(journalctl -u falco --since "$WINDOW ago" --no-pager -p warning 2>/dev/null \
    | grep -oE 'Rule "[^"]+"' | sort | uniq -c | sort -rn | head -3 | tr '\n' ';')
  curl -fsS "$HEARTBEAT_URL" --data-urlencode "falco_events=$COUNT,top_rules=$SAMPLE"
  exit 2
fi
echo "OK ($COUNT critical events / 5m)"

Same thing in Enterno.io

Wire to an Enterno heartbeat — learn about a runtime-security event burst before a successful breach disappears into log rotation or gets overwritten.

Set up HTTP monitor → ← All recipes

Related recipes

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation