In May 2016, the developers of Sysdig released Falco, a tool for detecting anomalous system behavior.
Falco consists of two main components: the sysdig_probe kernel module (which Sysdig also runs on) and the daemon for writing the information it collects to the disk.
Falco tracks applications according to user-defined rules, and if any anomalies are detected, it writes the information to a standard output, syslog, or user-defined file. in their blog, the developers jokingly call Falco “…a hybrid of snort, ossec and strace,” and position it as a simple IDS that puts almost no additional load on the system.