Falco finding

This rule is part of a beta feature. To learn more, contact Support.
falco

Goal

Respond to potential security threats detected by Falco rules promptly and effectively, minimizing the risk of security breaches and ensuring the integrity of the system.

Strategy

Trigger notifications for any potential security threat detected by Falco default or custom rules.

Triage and Response

  1. Review the log detected with the specific rule, affected hostname, and priority level.
  2. Investigate relevant logs, network traffic captures, and system data to identify the root cause.
  3. Determine the potential impact and legitimacy of the activity. If the activity is deemed benign, tune the rule in Falco.

Note

If the noise level is too high from these signals, you can upgrade, tune, or override your Falco rules, as appropriate. This 3rd party rule only elevates Falco alerts from logs if they have the maturity_stable value in the Falco @tags fields, not the Datadog tags field.

References