Skip to main content

Falco Sidekick

在本示例中,您将在Falco Sidekick 和 Port 之间创建一个 webhook 集成,用于接收警报实体。

Port 配置

创建以下蓝图定义:

Alert blueprint
{
  "identifier": "falco_alert",
  "title": "Falco Alert",
  "icon": "Alert",
  "schema": {
    "properties": {
      "priority": {
        "title": "Priority",
        "type": "string"
      },
      "output": {
        "title": "Output",
        "type": "string"
      },
      "rule": {
        "title": "Rule",
        "type": "string"
      },
      "time": {
        "title": "Time",
        "type": "string",
        "format": "date-time"
      },
      "source": {
        "title": "Source",
        "type": "string"
      },
      "tags": {
        "title": "Tags",
        "type": "array"
      },
      "output_field": {
        "title": "Output Field",
        "type": "object"
      },
      "hostname": {
        "title": "Hostname",
        "type": "string"
      }
    },
    "required": []
  },
  "mirrorProperties": {},
  "calculationProperties": {},
  "aggregationProperties": {},
  "relations": {}
}

创建以下 webhook 配置using Port's UI

Alert webhook configuration
  1. 基本信息 选项卡 - 填写以下详细信息: 1.title: Falco Alert Mapper; 2.标识符 : falcoo_alert_mapper; 3.Description : 将 Falco sidekicks 警报映射到 Port 的 webhook 配置; 4.图标 : Alert
  2. 集成配置选项卡 - 填写以下 JQ 映射: 
    [
      {
        "blueprint": "falco_alert",
        "filter": "true",
        "entity": {
          "identifier": ".body.hostname + \"-\" + .body.time | tostring",
          "title": ".body.hostname + \"-\" + .body.time | tostring",
          "properties": {
            "priority": ".body.priority",
            "rule": ".body.rule",
            "time": ".body.time",
            "source": ".body.source",
            "tags": ".body.tags",
            "hostname": ".body.hostname",
            "output_field": ".body.output_fields",
            "output": ".body.output"
          }
        }
      }
    ]

3.单击页面底部的保存

配置 Falco Sidekick 以发送 webhook

  1. 如果您使用的是带有Docker 的 Falcosidekick,请使用以下命令进行安装。将 YOUR_WEBHOOK_URL 替换为创建 webhook 配置后收到的 url 密钥的值;

    docker run -d -p 2801:2801 -e WEBHOOK_ADDRESS=YOUR_WEBHOOK_URL falcosecurity/falcosidekick

2.如果您希望使用Helm 安装 Falcosidekick,请按照以下步骤操作: 1.将 webhook 配置添加到 config.yaml 文件中,将 YOUR_WEBHOOK_URL 替换为 webhook 设置中的实际 URL。

Example configuration file
webhook:
  address: YOUR_WEBHOOK_URL

2.使用以下命令安装或升级 Helm chart:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

helm install falco --config-file=config.yaml falcosecurity/falco

Done! Any change that happens to your alerts in your server will trigger a webhook event to the webhook URL provided by Port. Port will parse the events according to the mapping and update the catalog entities accordingly.