Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TRACKING] New anomalydetection Plugin - Targeting First Release for Falco 0.39.0 #3117

Open
incertum opened this issue Feb 27, 2024 · 7 comments · May be fixed by falcosecurity/plugins#419
Open

[TRACKING] New anomalydetection Plugin - Targeting First Release for Falco 0.39.0 #3117

incertum opened this issue Feb 27, 2024 · 7 comments · May be fixed by falcosecurity/plugins#419
Assignees
@incertum
Labels
kind/feature
Milestone
0.40.0

Comments

@incertum
Copy link
Contributor

incertum commented Feb 27, 2024
edited
Loading

Motivation

This issue is to track the development progress for a new anomalydetection plugin, as outlined in the Proposal.

The objective is to provide updates on the progress of the development, ensuring alignment with the proposed framework. Additionally, it aims to identify any potential blockers that may hinder progress.

The initial scope will focus exclusively on "CountMinSketch Powered Probabilistic Counting and Filtering" for a subset of syscalls and a selection of options to define behavior profiles. The primary objective of this new framework is to offer tangible advantages in real-world production environments and substantially improve the usability of standard Falco rules. Essentially, this framework eliminates the requirement for meticulous tuning of individual rules and facilitates the utilization of probabilistic count estimates to alleviate the impact of noisy rules. Additionally, it enables the creation of broader Falco rules.

Edit: v1 PR can be found here: falcosecurity/plugins#419
@incertum incertum added this to the 0.39.0 milestone Feb 27, 2024
@incertum incertum self-assigned this Feb 27, 2024
@incertum incertum linked a pull request Feb 27, 2024 that will close this issue
Open
@poiana
Copy link
Contributor

poiana commented May 27, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@incertum
Copy link
Contributor Author

/remove-lifecycle stale

On track.

@incertum
Copy link
Contributor Author

incertum commented Jul 15, 2024
edited
Loading

CC @@an1245, @quentinkhoo

@incertum
Copy link
Contributor Author

Just moved the PR out of Draft mode. It is now feature-complete and ready for review. The README has also been updated with more info.

Starting the testing on some more beefy test servers as we speak ... plus will also attempt to provide some useful initial use case guidelines (something that is missing right now).

The plugin will work with Falco >= 0.38.2.

@incertum
Copy link
Contributor Author

After initial review let's setup the CI to publish some test artifacts @jasondellaluce.

@FedeDP
Copy link
Contributor

FedeDP commented Oct 1, 2024

Hey Melissa, is the plugin ready?
Otherwise can we move to 0.40.0? :D Thanks!

@leogr leogr modified the milestones: 0.39.0, 0.40.0 Oct 1, 2024
@leogr
Copy link
Member

leogr commented Oct 1, 2024

I moved this to 0.40. However, this should not be tied to the Falco release.

Anyway, just talked with @jasondellaluce and I guess we can merge the plugin PR soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@incertum incertum

Labels
kind/feature
Projects
None yet
Milestone
0.40.0
4 participants
@leogr @FedeDP @incertum @poiana