Difficulty: Beginner
Estimated Time: 10 minutes


To identify risks and possible threats in our IT landscape, you need to gather all data that is relevant. But how do you know it's relevant ??? With new technologies like Kubernetes (k8s) digital security requires a more sophisticated approach. Do think about the new Security implications containers and orchestrators do introduce, like their fast life-cycle, dynamic scaling and internal traffic flows.Some of those implications can be mitigated by using Istio, but for more fine granular telemetry and analysis we can't rely on only this layer of protection.

For such tasks as fine granular telemetry and analysis we need a flexible toolkit that supports this without sacrificing on richness to extend and scale. Sysdig and Elastic Stack are the main ingredients for this toolkit. Combining those two forces will deliver best of both worlds.

Let's take a look at the goals

First of all we will deploy the necessary components like the Elastic Stack in this Katacoda environment. After these deployment steps we will use Helm to deploy our first experiment using Sysdig Falco. During this experiment we will take a look at the powerfull rule-engine and possibilites to automate alerting, in this case towards the Elastic stack. Second experiment will involve extending the default-ruleset with even more extra [rulesets]{https://github.com/draios/falco-extras). During this experiment we will trigger some elasticsearch specific alerts towards elasticsearch, isn't that funny. At the end will experiment around Sysdig Inspect and using the core tracing functionality. For this we will identify NgInx related behavior.

Additionally i want to give some credits to @Micheal.Ducy and @Dan.Roscigno.

Kibana Example

A Quick Katacoda Primer

If this is your first time using Katacoda, let me introduce some of the cool ideas:

  • In general, you don't need to type. Most of the time, you can simply click on a command in the instructions to run it.
  • If you need access to a web browser, look for tabs at the top of the terminal window. In this course you will need three pages - one for Nginx, one for Kibana and one for Sysdig-Inspect. You should see a NgInx, Kibana tab and a Sysdig-Inspect tab in the terminal. Likewise, once you have deployed the applications running you should open that tab.
  • Each time you start or restart a course everything gets reset. If you misconfigure something somehow, simply restart the course.

Great !!! You have succesfully completed this workshop. I hope you enjoyed it.

the end

Setup multi-platform Threat Hunting Platform with Sysdig & Elastic Stack

Step 1 of 11

Validate Our Up and Running Kubernetes Cluster

A Kubernetes cluster started when you began the scenario. Run the kubectl get nodes command to see if the nodes are in the Ready state:

kubectl get nodes

If the command returns NotReady, then wait a couple of seconds before retrying.