security professional security skill risk: medium

Falco Container Threat Detection Rules

Deploy and manage Falco rules for runtime security detection in containerized environments. Parse Falco alerts for incident response.

Policy sensitive
Human review

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: performing-cloud-native-forensics-with-falco
description: "Uses Falco YAML rules for runtime threat detection in containers and Kubernetes, monitoring syscalls for shell"
---
# Performing Cloud Native Forensics with Falco


## When to Use

- When conducting security assessments that involve performing cloud native forensics with falco
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing

## Prerequisites

- Familiarity with cloud security concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Instructions

Deploy and manage Falco rules for runtime security detection in containerized
environments. Parse Falco alerts for incident response.

```yaml
# Custom Falco rule for detecting shell in container
- rule: Shell Spawned in Container
  desc: Detect shell process started in a container
  condition: >
    spawned_process and container
    and proc.name in (bash, sh, zsh, dash, csh)
    and not proc.pname in (docker-entrypo, supervisord)
  output: >
    Shell spawned in container
    (user=%user.name command=%proc.cmdline container=%container.name
     image=%container.image.repository)
  priority: WARNING
  tags: [container, shell, mitre_execution]
```

Key detection rules:
1. Shell spawn in non-interactive containers
2. Sensitive file access (/etc/shadow, /etc/passwd)
3. Outbound connections from unexpected containers
4. Privilege escalation via setuid/setgid
5. Container escape via mount or ptrace

## Examples

```bash
# Run Falco with custom rules
falco -r /etc/falco/custom_rules.yaml -o json_output=true
# Parse JSON alerts
cat /var/log/falco/alerts.json | python3 -c "import json,sys; [print(json.loads(l)['output']) for l in sys.stdin]"
```

REQUIRED CONTEXT

lab or test environment
python 3.8+

EXPECTED OUTPUT

Format

markdown

Constraints

include yaml rules
include bash examples
list key detection rules

EXAMPLES

Includes one custom Falco YAML rule and two bash command examples for running Falco and parsing alerts.

CAVEATS

Missing context

Target audience or user expertise level beyond the listed prerequisites
Exact output format expected from the AI (e.g., step-by-step commands, full rule files, analysis report)
Lab environment constraints or Falco version compatibility

Ambiguities

Instructions section gives high-level goals ('Deploy and manage Falco rules... Parse Falco alerts') without concrete steps or success criteria.
Does not specify desired output format or length for alert parsing or rule deployment.

QUALITY

OVERALL: 0.52
CLARITY: 0.75
SPECIFICITY: 0.55
REUSABILITY: 0.35
COMPLETENESS: 0.50

IMPROVEMENT SUGGESTIONS

Add explicit placeholders (e.g., {{rule_file_path}}, {{container_name}}) to improve reusability as a template.
Replace the vague 'Instructions' paragraph with numbered, actionable steps for deploying rules and parsing alerts.
Specify the expected response structure (e.g., 'Return a validated YAML file plus sample Python parser code').

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.