Sysdig falco is a behavioral activity monitoring agent that is
open source and comes with native support for containers. Falco
lets you define highly granular rules to check for activities
involving file and network activity, process execution, IPC, and
much more, using a flexible syntax. Falco will notify you when
these rules are violated. You can think about falco as a mix
between snort, ossec and strace.
Read more https://packetstormsecurity.com/files/155044/falco-0.18.0.tar.gz