Finding out there is "suspicious activity" in your infrastructure is enough to make any DevOps engineer's heart rate spike. If you’re running containerized workloads, you need a way to see exactly what’s happening inside those isolated environments in real-time. Falco , the open-source standard for cloud-native runtime security. In this guide, we'll walk through a hands-on scenario: investigating a suspicious Nginx container by detecting unauthorized spawning processes. A team member reports odd behavior in a specific container. Our goal is to use Falco to monitor the execve system call—which is triggered whenever a new process is started—and log those events to a report for analysis. Step 1: Create a Custom Falco Rule Falco uses a flexible YAML-based syntax for defining security rules. We need to create a rule specifically targeting our Nginx container.…