Falco Sidekick
In this example you are going to create a webhook integration between Falco Sidekick and Port, which will ingest alert entities.
Port configuration​
Create the following blueprint definition:
Alert blueprint
{
"identifier": "falco_alert",
"title": "Falco Alert",
"icon": "Alert",
"schema": {
"properties": {
"priority": {
"title": "Priority",
"type": "string"
},
"output": {
"title": "Output",
"type": "string"
},
"rule": {
"title": "Rule",
"type": "string"
},
"time": {
"title": "Time",
"type": "string",
"format": "date-time"
},
"source": {
"title": "Source",
"type": "string"
},
"tags": {
"title": "Tags",
"type": "array"
},
"output_field": {
"title": "Output Field",
"type": "object"
},
"hostname": {
"title": "Hostname",
"type": "string"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"aggregationProperties": {},
"relations": {}
}
Create the following webhook configuration using Port's UI
Alert webhook configuration
-
Basic details tab - fill the following details:
- Title :
Falco Alert Mapper; - Identifier :
falco_alert_mapper; - Description :
A webhook configuration to map Falco sidekicks alerts to Port; - Icon :
Alert;
- Title :
-
Integration configuration tab - fill the following JQ mapping:
[
{
"blueprint": "falco_alert",
"filter": "true",
"entity": {
"identifier": ".body.hostname + \"-\" + .body.time | tostring",
"title": ".body.hostname + \"-\" + .body.time | tostring",
"properties": {
"priority": ".body.priority",
"rule": ".body.rule",
"time": ".body.time",
"source": ".body.source",
"tags": ".body.tags",
"hostname": ".body.hostname",
"output_field": ".body.output_fields",
"output": ".body.output"
}
}
}
] -
Click Save at the bottom of the page.
Configure Falco Sidekick to send webhook​
-
If you're using Falcosidekick with Docker, use the following command for installation. Replace
YOUR_WEBHOOK_URLwith the value of theurlkey you received after creating the webhook configuration;docker run -d -p 2801:2801 -e WEBHOOK_ADDRESS=YOUR_WEBHOOK_URL falcosecurity/falcosidekick -
If you prefer installing Falcosidekick with Helm, follow these steps:
- Add the webhook configuration to your config.yaml file, replacing
YOUR_WEBHOOK_URLwith the actual URL from the webhook setup.
Example configuration file
webhook:
address: YOUR_WEBHOOK_URL- Install or upgrade the Helm chart with the following commands:
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco --config-file=config.yaml falcosecurity/falco - Add the webhook configuration to your config.yaml file, replacing
Done! Any change that happens to your alerts in your server will trigger a webhook event to the webhook URL provided by Port. Port will parse the events according to the mapping and update the catalog entities accordingly.
Connect Falco Alerts to a Namespace​
This guide aims to cover how to connect a Falco alert to an existing Namespace in Port using tags.
This guide assumes:
- You have a Port account and that you have finished the onboarding process.
- You have K8 exporters installed and configured in your environment. We will use the
Namespaceblueprint from the guide. - You have Falco installed and configured in your environment.
Add namespace to alerts in Falco​
Adding namespaces via tags to alerts in Falco allows you to categorize and filter them. You can use namespaces to group alerts that are related to a specific Kubernetes Namespace in Port. In this guide, we will add a namespace to tell us what namespace the alert is tied to:
- Log in to your server instance using methods available to you: SSH, Docker Exec,
docker compose run <bash/sh>, etc. - With necessary permissions and using your favourite editor (Vim, Nano, Emacs), open the YAML file where your Falco Rules are defined. It is usually
/etc/falco/falco_rules.yaml. - Navigate to the rule object you are interested in.
- Navigate to the
tagskey to add a tag that represents the namespace - Add a tag that represents the Namespace the alert related to,
port-auth-namespace. For this guide, let's assume there is a namespace entity identified byauth-namespacein yourNamespaceblueprint in Port. - Save the file
/etc/falco/falco_rules.yaml (click to expand)
- rule: Fileless execution via memfd_create
desc: >
Detect if a binary is executed from memory using the memfd_create technique. This is a well-known defense evasion
technique for executing malware on a victim machine without storing the payload on disk and to avoid leaving traces
about what has been executed. Adopters can whitelist processes that may use fileless execution for benign purposes
by adding items to the list known_memfd_execution_processes.
condition: >
spawned_process
and proc.is_exe_from_memfd=true
and not known_memfd_execution_processes
output: Fileless execution via memfd_create (container_start_ts=%container.start_ts proc_cwd=%proc.cwd evt_res=%evt.res proc_sname=%proc.sname gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
priority: CRITICAL
tags: [maturity_stable, host, container, process, mitre_defense_evasion, T1620, port-auth-namespace]
The Falco Rule will likely already have several tags, we ensure we are able to control how these tags are related to the Namespace blueprint. To do this, we prefix the tag name with the keyword port-. With JQ, we can then select the first tag starting with this keyword (Alerts are not supposed to belong to more than one namespace). Hence the name of our example tag being, port-auth-namespace which will correspond to a Namespace entity identified by auth-namespace in Port.
Create the service relation​
Now that Port is synced with our Falco Alerts, let's reflect the Alert in our resources to display the alert associated with a Namespace. First, we will need to create a relation between our Alert and the corresponding Namespace.
- Fill out the form like this, then click
Create:
The blueprint should look like so after the creation:
Now that the blueprints are related, we need to assign the relevant Falco to their respective namespaces. This can be done by adding some mapping logic. Go to your data sources page, and click on Falco Alert:
Under the Mapping tab, modify the mapping at the Map the data from the external system into Port section by replacing the content with the following block, and click Save:
JQ mapping (Click to expand)
[
{
"blueprint": "falco_alert",
"filter": "true",
"entity": {
"identifier": ".body.hostname + \"-\" + .body.time | tostring",
"title": ".body.hostname + \"-\" + .body.time | tostring",
"properties": {
"priority": ".body.priority",
"rule": ".body.rule",
"time": ".body.time",
"source": ".body.source",
"tags": ".body.tags",
"hostname": ".body.hostname",
"output_field": ".body.output_fields",
"output": ".body.output",
},
"relations": {
"namespace": ".tags | map(select(startswith(\"port\"))) | map(sub(\"port-\"; \"\"; \"g\")) | .[0]"
}
}
}
]
The JQ below selects all tags that start with the keyword port. It then removes "port-" from each tag, leaving only the part that comes after it. It then selects the first match, which is equivalent to the namespace in Port.
service: .fields.labels | map(select(startswith("port"))) | map(sub("port-"; ""; "g")) | .[0]
What we just did was map the Falco Alert to the relation between it and our Namespaces.
Now, if our Namespace identifier is equal to the Falco Alert tag, the namespace will be automatically linked to it  🎉
Conclusion​
By following these steps, you can seamlessly connect a Falco Alert to an existing namespace blueprint in Port using tags.
More relevant guides and examples: