In any Cloud Native architecture, there’s a seemingly endless stream of events that happen at each layer. These events can be used to detect abnormal activity and possible security incidents, as well as providing an audit trail of activity. In this talk, we’ll cover how we extended Falco, the container behavior monitoring tool to ingest events beyond just host system calls, such as Kubernetes audit events. We will also show how to create Falco rules to detect behaviors in these new event streams, eg: a user trying to create a serviceAccount or storing some credentials in a ConfigMap rather than on a Secret. Attendees will gain a deep understanding of Kubernetes audit system, and how to audit and trigger events based on Kubernetes anomalous behavior.