It seems like an interesting question. As I understand it, falco gathers something like audit/kprobe/bpf events, and then does analysis on them.
Would a hypothetical perfect-world integration look like:
1. osquery has access to the falco alert stream? This feels weird and out of scope
2. osquery has access to the falco sensor data? This feels better approached via bpf tables, or a kprobe table
3. falco has access to osquery data? Feels akin to streamalert
I really want there to be an interesting overlap, but I haven’t come up with it yet.