# Monitoring with Falco > `Falco`, the cloud-native runtime security project, is the de facto Kubernetes threat detection engine. Falco was created by Sysdig in 2016 and is the first runtime security project to join CNCF as an incubation-level project. Falco detects unexpected application behavior and alerts on threats at runtime. Falco uses system calls to secure and monitor a system, by: * Parsing the Linux system calls from the kernel at runtime * Asserting the stream against a powerful rules engine * Alerting when a rule is violated Falco ships with a default set of rules that check the kernel for unusual behavior such as: * Privilege escalation using privileged containers * Namespace changes using tools like setns * Read/Writes to well-known directories such as /etc, /usr/bin, /usr/sbin, etc * Creating symlinks * Ownership and Mode changes * Unexpected network connections or socket mutations * Spawned processes using execve * Executing shell binaries such as sh, bash, csh, zsh, etc * Executing SSH binaries such as ssh, scp, sftp, etc * Mutating Linux coreutils executables * Mutating login binaries * Mutating shadowutil or passwd executables such as shadowconfig, pwck, chpasswd, getpasswd, change, useradd, etc, and others. Get more details about the falco deployment ```jsx kubectl get pods --selector app=falco ``` Manually obtaining the logs from the falco systems ```jsx kubectl logs -f -l app=falco ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.konstantinsecurity.com/readme/architect/kubernetes/monitoring/monitoring-with-falco.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.