Pulsar is a powerful, blazing fast security observability framework designed specifically to address the challenges of embedded security.
At its core, Pulsar is an event-driven framework for monitoring the activity of Linux devices. Pulsar allows you to collect runtime information about the system from the Linux kernel through its modules, enrich and transform this information into events and publish the events on a shared event bus.
Through the Pulsar rules engine, you can write and apply any rule to generate alerts when undesired system behaviour occurs (e.g. accessing certain areas of the filesystem or executing anomalous syscall).
Any event that matches one of the rules enforced by the rules engine is known as a threat event.
In general, the information collected by default from the kernel by the Pulsar modules through the eBPF probes can be grouped into 4 distinct categories:
File I/O: I/O operations on disk and memory.
Network: data from the network stack.
Processes: processes information, including file execution and file opening.
System Activity: device activity, including system calls.
Pulsar modular design makes it easy to adapt the core architecture to diverse use cases. In fact, if there isn't yet a module that does what you need, you can simply create one and load it yourself: all the events collected by the new module will be available on the event bus for further processing and threat analysis.
If what you've heard so far sounds interesting, check out the getting started section of the documentation to start using Pulsar. Or, follow along to dive deeper into the main concepts behind Pulsar's design.