Pulsar is a powerful, blazing fast
security observability framework designed specifically to address the challenges of embedded security of
At its core, Pulsar is an
event-driven framework for monitoring the activity of Linux devices. Pulsar allows you to collect
runtime information about the system from the
Linux kernel through its modules, enrich and transform this information into events and publish the events on a shared
Through the Pulsar rules engine, you can write and apply any rule to
generate alerts when undesired system behaviour occurs (e.g. accessing certain areas of the filesystem or executing anomalous syscall).
Any event that matches one of the rules enforced by the rules engine is known as a
In general, the
information collected by default from the kernel by the Pulsar modules through the
eBPF probes can be grouped into 4 distinct categories:
File I/O: I/O operations on disk and memory.
Network: data from the network stack.
Processes: processes information, including file execution and file opening.
System Activity: device activity, including system calls.
modular design makes it easy to adapt the core architecture to diverse use cases. In fact, if there isn't yet a module that does what you need, you can simply
create one yourself and load it; all the events collected by the new module will be available on the
event bus for further processing and threat analysis.
If what you've heard so far sounds interesting, check out the Getting Started section of the documentation to start using Pulsar. Or, follow along to dive deeper into the main Concepts behind Pulsar's design.