Setting Up Falco Talon

Caution

Falco Talon needs to be installed before Falco and Falco Sidekick

Download Falco Talon chart to local

git clone https://github.com/falcosecurity/charts.git

Remove the existing default rules and add custom ones

cd charts/charts/falco-talon

rm rules.yaml

wget https://raw.githubusercontent.com/janudabethmin/falco-setup/refs/heads/main/rules.yaml 

Install falco talon

Important

Remember to be in the charts/charts/falco-talon directory before running the command below.

helm upgrade --install falco-talon -n falco --create-namespace .

---

Setup of Falco and Falco Sidekick

Adding Falco helm charts

kubectl create namespace falco
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update falcosecurity

Visit Falco Rules Explorer for detailed view of falco rules.

Installing Falco and Falco Sidekick

helm install falco falcosecurity/falco --namespace falco \
  --create-namespace \
  --set tty=true \
  --set falcosidekick.enabled=true \
  --set falcosidekick.webui.enabled=true \
  --set falcosidekick.webui.redis.storageEnabled=false \
  --set falcosidekick.config.webhook.address=http://falco-talon:2803 

Adding custom falco rules to the initial Falco installation

helm install falco falcosecurity/falco --namespace falco \
  --create-namespace \
  --set tty=true \
  --set falcosidekick.enabled=true \
  --set falcosidekick.webui.enabled=true \
  --set falcosidekick.webui.redis.storageEnabled=false \
  --set falcosidekick.config.webhook.address=http://falco-talon:2803 \
  -f custom-rules.yaml

Adding custom falco rules to the existing Falco installation

helm upgrade falco falcosecurity/falco --namespace falco \
  --set tty=true \
  --set falcosidekick.enabled=true \
  --set falcosidekick.webui.enabled=true \
  --set falcosidekick.webui.redis.storageEnabled=false \
  --set falcosidekick.config.webhook.address=http://falco-talon:2803 \
  --reuse-values \
  -f custom-rules.yaml

Important

The custom rule that we are adding here is for a attomic red test that will not be identified by Falco default rules. Will be described in the next section.

Watching the logs of Falco

kubectl logs -n falco -c falco -f -l app.kubernetes.io/name=falco

Portforwarding Falco Sidekick UI

kubectl port-forward -n falco svc/falco-falcosidekick-ui  2802:2802

Note

Default username and password both for Falco Sidekick UI is admin

Creating a Pod for testing

kubectl apply -f https://raw.githubusercontent.com/janudabethmin/falco-setup/refs/heads/main/ubuntu-pod.yaml

Get into the terminal of the Pod

kubectl exec -it $(kubectl get pods -l app=ubuntu -o jsonpath='{.items[0].metadata.name}') -- /bin/bash

Can keep this running to check whether a specific rule is triggered

kubectl logs -f --tail=0 -n falco -c falco -l app.kubernetes.io/name=falco | grep 'Warning Grep private keys'

Running a command that will trigger some rules

find /root -name "id_rsa"

---

Installing Atomic Red for Threat Simulation

Create a new namespace for Atomic Red Team

kubectl create namespace atomic-red

Deploying Atomic Red to the cluster

kubectl apply -f https://raw.githubusercontent.com/janudabethmin/falco-setup/refs/heads/main/atomic-red.yaml

Getting into the Atomic Red's terminal

kubectl exec -it -n atomic-red deploy/atomicred -- bash

We need to use PowerShell to run the Atomic Red's commands because it only supports Windows.

pwsh

Importing Atomic Red module

Import-Module "~/AtomicRedTeam/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1" -Force

Getting details of a specific atomic red command

Invoke-AtomicTest T1070.004 -ShowDetails

Check the prerequisites for a specific atomic red command

Invoke-AtomicTest T1070.004 -GetPreReqs

Running a specific atomic red command

Invoke-AtomicTest T1070.004

Tables of Atomic Red Team Attacks That Can Be Used to Test Falco Rules

Attack	Command to View Logs	Grep the specific logs using pipes	Command to Execute Attack	Description	Identified by Default Falco Rules?
T1070.004	kubectl logs -f --tail=0 -n falco -c falco -l app.kubernetes.io/name=falco	grep 'Bulk data has been removed from disk'	Invoke-AtomicTest T1070.004	Bulk file deletion	Yes
T1556.003	kubectl logs -f --tail=0 -n falco -c falco -l app.kubernetes.io/name=falco	grep 'Sensitive file opened for reading by non-trusted program'	Invoke-AtomicTest T1556.003	Modify Authentication Process	Yes
T1036.005	kubectl logs -f --tail=0 -n falco -c falco -l app.kubernetes.io/name=falco	grep 'Executing binary not part of base'	Invoke-AtomicTest T1036.005	Masquerading: Match Legitimate Name or Location	Yes
T1070.002	kubectl logs -f --tail=0 -n falco -c falco -l app.kubernetes.io/name=falco	grep 'Log files were tampered'	Invoke-AtomicTest T1070.002	Indicator Removal on Host	Yes
T1070.003	kubectl logs -f --tail=0 -n falco -c falco -l app.kubernetes.io/name=falco	grep 'Shell history had been deleted or renamed'	Invoke-AtomicTest T1070.003	Clear Command History	Yes
T1014	kubectl logs -f --tail=0 -n falco -c falco -l app.kubernetes.io/name=falco	```grep 'Linux Kernel Module injection from container detected'`	Invoke-AtomicTest T1014	Kernel Module Based Rootkit	Yes
T1037.004	kubectl logs -f --tail=0 -n falco -c falco -l app.kubernetes.io/name=falco	grep 'Potentially malicious Python script'	Invoke-AtomicTest T1037.004	Boot Initialization - RC Scripts	No

Important

We have added the custom rule for the T1070.004 attack to the custom-rules.yaml file. Use the commands in the previous section to add the custom rules to Falco.

More commands to try that will trigger alerts

find /root -name "id_rsa"

cat /etc/shadow > /dev/null

grep "aws_secret_access_key" /etc/shadow

---

Testing Falco Talon

Get into the terminal of the Ubuntu Pod created before

kubectl exec -it $(kubectl get pods -l app=ubuntu -o jsonpath='{.items[0].metadata.name}') -- /bin/bash

Running a command

find /root -name "id_rsa"

Note

This will add a tag suspicious: "true" to the Ubuntu Pod as a responce to the detection done by falco, as we wrote in the falco-talon rules.