Any osquery users also using (or considering) Falco?

I am struggling to think about the use case here, would that mean that Fleet would be acting as the ingestion point, but having no control over pushing down rules, etc.?

It seems like an interesting question. As I understand it, falco gathers something like audit/kprobe/bpf events, and then does analysis on them. Would a hypothetical perfect-world integration look like: 1. osquery has access to the falco alert stream? This feels weird and out of scope 2. osquery has access to the falco sensor data? This feels better approached via bpf tables, or a kprobe table 3. falco has access to osquery data? Feels akin to streamalert I really want there to be an interesting overlap, but I haven’t come up with it yet.

Initially I think it would be more like #1 -- osquery has access to other streams such as syslog, ASL, windows eventlog -- I wonder if it would be useful for osquery to be able to ship the Falco alerts into the same logging pipeline that folks already have set up. Additionally, if osquery is running on the container host, there are other tables that could have value.

ive been thinking about looking at falco most likely to replace auditd but i havent really had time to dig into it

#1 Would this option require deploying both osquery and Falco inside k8s pods?

It would not need to run inside each pod. Both osquery and Falco would run on the host (or within a single container on the host).

More data in structured format is interesting.