Skip to main content

Falco Sidekick

In this example you are going to create a webhook integration between Falco Sidekick and Port, which will ingest alert entities.

Port configuration

Create the following blueprint definition:

Alert blueprint
{
"identifier": "falco_alert",
"title": "Falco Alert",
"icon": "Alert",
"schema": {
"properties": {
"priority": {
"title": "Priority",
"type": "string"
},
"output": {
"title": "Output",
"type": "string"
},
"rule": {
"title": "Rule",
"type": "string"
},
"time": {
"title": "Time",
"type": "string",
"format": "date-time"
},
"source": {
"title": "Source",
"type": "string"
},
"tags": {
"title": "Tags",
"type": "array"
},
"output_field": {
"title": "Output Field",
"type": "object"
},
"hostname": {
"title": "Hostname",
"type": "string"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"aggregationProperties": {},
"relations": {}
}

Create the following webhook configuration using Port's UI

Alert webhook configuration
  1. Basic details tab - fill the following details:

    1. Title : Falco Alert Mapper;
    2. Identifier : falco_alert_mapper;
    3. Description : A webhook configuration to map Falco sidekicks alerts to Port;
    4. Icon : Alert;
  2. Integration configuration tab - fill the following JQ mapping:

    [
    {
    "blueprint": "falco_alert",
    "filter": "true",
    "entity": {
    "identifier": ".body.hostname + \"-\" + .body.time | tostring",
    "title": ".body.hostname + \"-\" + .body.time | tostring",
    "properties": {
    "priority": ".body.priority",
    "rule": ".body.rule",
    "time": ".body.time",
    "source": ".body.source",
    "tags": ".body.tags",
    "hostname": ".body.hostname",
    "output_field": ".body.output_fields",
    "output": ".body.output"
    }
    }
    }
    ]
  3. Click Save at the bottom of the page.

Configure Falco Sidekick to send webhook

  1. If you're using Falcosidekick with Docker, use the following command for installation. Replace YOUR_WEBHOOK_URL with the value of the url key you received after creating the webhook configuration;

    docker run -d -p 2801:2801 -e WEBHOOK_ADDRESS=YOUR_WEBHOOK_URL falcosecurity/falcosidekick
  2. If you prefer installing Falcosidekick with Helm, follow these steps:

    1. Add the webhook configuration to your config.yaml file, replacing YOUR_WEBHOOK_URL with the actual URL from the webhook setup.
    Example configuration file
    webhook:
    address: YOUR_WEBHOOK_URL
    1. Install or upgrade the Helm chart with the following commands:
    helm repo add falcosecurity https://falcosecurity.github.io/charts
    helm repo update

    helm install falco --config-file=config.yaml falcosecurity/falco

Done! Any change that happens to your alerts in your server will trigger a webhook event to the webhook URL provided by Port. Port will parse the events according to the mapping and update the catalog entities accordingly.