new(docs): update getting started pages

content/en/docs/getting-started/_index.md

@@ -1,20 +1,54 @@
 ---
 title: Getting Started
 description: Getting started with Falco
+hide_section_index: true
 weight: 10
 ---
 
-Falco is a cloud-native security tool. It provides near real-time threat detection for cloud, container, and Kubernetes workloads by leveraging runtime insights. Falco can monitor events from various sources, including the Linux kernel, and enrich them with metadata from the Kubernetes API server, container runtime, and more.
+Falco is a cloud-native security tool. It provides near real-time threat detection for cloud, container, and Kubernetes workloads by leveraging runtime insights. Falco can monitor events defined via customizable {{< glossary_tooltip text="rules" term_id="rules" >}} from various sources, including the Linux kernel, and enrich them with metadata from the Kubernetes API server, container runtime, and more. Falco supports a wide range of kernel versions, x86_64 and ARM64 architectures, and many different {{< glossary_tooltip text="output" term_id="outputs" >}} channels.
 
-Once Falco has received these events, it compares them to a set of {{< glossary_tooltip text="rules" term_id="rules" >}} to determine if the actions being performed need further investigation. If they do, Falco can forward the {{< glossary_tooltip text="output" term_id="outputs" >}} to multiple different endpoints either natively (syslog, stdout, HTTPS, and gRPC endpoints) or with the help of [Falcosidekick](https://github.com/falcosecurity/falcosidekick), a companion tool that offers integrations to several different applications and services. 
+## Try it now
 
-## Falco Architecture
+Get started on your Linux host or Kubernetes cluster.
 
-  Falco operates in both kernel and user space. In kernel space, Linux system calls ({{< glossary_tooltip text="syscalls" term_id="syscalls" >}}) are collected by a {{< glossary_tooltip text="driver" term_id="drivers" >}}, for example, the Falco kernel module or Falco eBPF probe. Next, syscalls are placed in a {{< glossary_tooltip text="ring buffer" term_id="ring-buffer" >}} from which they are moved into user space for processing. The events are filtered using a rules engine with a Falco rule set. Falco ships with a default set of rules, but operators can modify or turn off those rules and add their own. If Falco detects any suspicious events those are forwarded to various endpoints.
+{{< link_wrapper href="falco-docker-quickstart" class="section-index">}}
+{{< card class="card-sm shadow btn btn-light p-0">}}
+<div class="text-left d-flex gap-4">
+    <img class="align-self-center icon-4 icon-lg-5" src="/img/docker-logo.png" alt="Docker" loading="lazy">
+    <div class="align-self-center">
+        <div class="card-title mb-2">
+            <h5>Try Falco with Docker</h5>
+        </div>
+        <span class="card-text text-black-50">Run Falco on your host with a Docker container</span>
+    </div>
+</div>
+{{< /card >}}
+{{< /link_wrapper >}}
 
-![Falco Architecture](images/falco-architecture-v2.png)
-
-## Next Steps   
-
-A great next step would be to try Falco yourself. The quickstart below walks through how to get Falco running on a Linux host, create a suspicious event, and then check the Falco output. 
+{{< link_wrapper href="falco-kubernetes-quickstart" class="section-index mt-3">}}
+{{< card class="card-sm shadow btn btn-light p-0">}}
+<div class="text-left d-flex gap-4">
+    <img class="align-self-center icon-4 icon-lg-5" src="/img/kubernetes-logo.png" alt="Kubernetes" loading="lazy">
+    <div class="align-self-center">
+        <div class="card-title mb-2">
+            <h5>Try Falco on Kubernetes</h5>
+        </div>
+        <span class="card-text text-black-50">Install Falco and Falcosidekick on your Kubernetes cluster with Helm</span>
+    </div>
+</div>
+{{< /card >}}
+{{< /link_wrapper >}}
 
+{{< link_wrapper href="falco-linux-quickstart" class="section-index mt-3">}}
+{{< card class="card-sm shadow btn btn-light p-0">}}
+<div class="text-left d-flex gap-4">
+    <img class="align-self-center icon-4 icon-lg-5" src="/img/ubuntu.png" alt="Ubuntu" loading="lazy">
+    <div class="align-self-center">
+        <div class="card-title mb-2">
+            <h5>Try Falco on Ubuntu</h5>
+        </div>
+        <span class="card-text text-black-50">Run Falco on your host or set up a Vagrant VM to try it</span>
+    </div>
+</div>
+{{< /card >}}
+{{< /link_wrapper >}}

content/en/docs/getting-started/additional-resources.md

@@ -4,7 +4,7 @@ description: Learn More About Falco
 slug: falco-additional
 aliases:
 - ../../falco-additional
-weight: 30
+weight: 40
 ---
 
 ## Learn more about Falco

content/en/docs/getting-started/docker-quickstart.md

@@ -0,0 +1,76 @@
+---
+title: Try Falco with Docker
+description: Try Falco locally using Docker
+slug: falco-docker-quickstart
+aliases:
+- ../../try-falco-with-docker
+weight: 10
+---
+
+## Install Falco
+
+First, ensure you have a Linux machine with a recent version of Docker installed. Note that the following will not work on Windows or macOS running Docker Desktop.
+
+Run the following command:
+
+```sh
+sudo docker run --rm -i -t --name falco --privileged  \
+    -v /var/run/docker.sock:/host/var/run/docker.sock \
+    -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro \
+    -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro \
+    falcosecurity/falco:{{< latest >}}
+```
+
+Falco is now monitoring your system using the [pre-installed set of rules](https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml) that alert you upon suspicious behavior.
+
+## Trigger a rule
+
+Open another terminal on the same machine and run:
+
+```sh
+sudo cat /etc/shadow
+```
+
+Now go back to Falco, and you'll see a message like:
+
+```
+2024-06-21T08:54:23.812791015+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=sudo ggparent=bash gggparent=tmux: evt_type=openat user=root user_uid=0 user_loginuid=1000 process=cat proc_exepath=/usr/bin/cat parent=sudo command=cat /etc/shadow terminal=34826 container_id=host container_name=host)
+```
+
+This is your first Falco event 🦅! If you are curious, [this](https://github.com/falcosecurity/rules/blob/c0a9bf17d5451340ab8a497efae1b8a8bd95adcb/rules/falco_rules.yaml#L398) is the rule that describes it.
+
+## Create a custom rule
+
+Now it's time to create our own rule and load it into Falco. We can be pretty creative with them, but let's stick with something simple. This time, we want to be alerted when any file is opened for writing in the `/etc` directory, either on the host or inside containers.
+
+Stop the Falco container with `Ctrl-C`, copy the following text in a file and call it `falco_custom_rules.yaml`:
+
+```yaml
+- rule: Write below etc
+  desc: An attempt to write to /etc directory
+  condition: >
+    (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0)
+    and fd.name startswith /etc
+  output: "File below /etc opened for writing (file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)"
+  priority: WARNING
+  tags: [filesystem, mitre_persistence]
+```
+
+Then start Falco again, this time mounting the new rule file:
+
+```sh
+sudo docker run --name falco --rm -i -t --privileged \
+    -v $(pwd)/falco_custom_rules.yaml:/etc/falco/falco_rules.local.yaml \
+    -v /var/run/docker.sock:/host/var/run/docker.sock \
+    -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro \
+    -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro \
+    falcosecurity/falco:{{< latest >}}
+```
+
+Finally, open another terminal and write a file in `/etc`:
+
+```sh
+sudo touch /etc/test_file_falco_rule
+```
+
+You should see an alert in the Falco terminal, just as before. As you can see, a lot of contextual information is displayed, as it was specified in the `output` field of the rule. There are many such fields that you can use both in the condition and the output to build your rule.