This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Notifiers

Notifiers are the built-it outputs to forward the result of the Falco Talon actions

1: List of Notifiers

The Notifiers define which outputs to notify with the result of the actions.

The configuration file contains the list of notifiers to enable by default and the settings for each notifier.

Example:

default_notifiers: # these notifiers will be enabled for all rules
  - k8sevents
  - loki
  - smtp
  - elasticsearch

notifiers:
  loki:
    host_port: https://logs-prod-eu-west-0.grafana.net
    user: 99999
    api_key: xxxxx
  smtp:
    host_port: localhost:1025
    from: falco@falcosecurity.org
    to: user@test.com, other@test.com
    # user: test
    # password: test
    format: html
    tls: false
  elasticsearch:
    url: http://localhost:9200
    create_index_template: true
    number_of_shards: 1
    number_of_replicas: 1

1 - List of Notifiers

Available notifiers

`k8sevents`

This notifiers creates a k8s event in the target resource namespace.

Parameters

No configuration is requested.

Permissions

- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - get
  - update
  - patch
  - create

Result

LAST SEEN   TYPE     REASON                                    OBJECT                      MESSAGE
18s         Normal   falco-talon:kubernetes:label:success      pod/cncf-55696bc998-ql5qd   Status: success...

action: kubernetes:label
apiVersion: v1
eventTime: "2024-02-27T13:54:30.008721Z"
firstTimestamp: null
involvedObject:
  kind: Pod
  name: cncf-55696bc998-ql5qd
  namespace: default
kind: Event
lastTimestamp: null
message: "Status: success\nMessage: action\nRule: Terminal shell in container\nAction:
  Label Pod as Suspicious\nActionner: kubernetes:label\nEvent: A shell was spawned
  in a container with an attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1
  process=sh proc_exepath=/usr/bin/dash parent=runc command=sh -c command -v bash
  >/dev/null && exec bash || exec sh terminal=34817 exe_flags=EXE_WRITABLE container_id=f13c72275fd4
  container_image=docker.io/library/debian container_image_tag=latest container_name=cncf
  k8s_ns=default k8s_pod_name=cncf-55696bc998-ql5qd)\nnamespace: default\npod: cncf-55696bc998-ql5qd\nOutput:
  \nthe pod \"cncf-55696bc998-ql5qd\" in the namespace \"default\" has been labelled\nTraceID:
  cc84de57-7617-4359-ad40-1a7a8d854743\n"
metadata:
  creationTimestamp: "2024-02-27T13:54:30Z"
  generateName: falco-talon-
  name: falco-talon-rf2dz
  namespace: default
  resourceVersion: "32141229"
  uid: a407b246-f2b5-46ba-8146-ebe474302604
reason: falco-talon:kubernetes:label:success
reportingComponent: falcosecurity.org/falco-talon
reportingInstance: falco-talon
source:
  component: falco-talon
type: Normal

`slack`

Parameters

Setting	Default	Description
`webhook_url`	n/a	Webhook URL
`icon`	`https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg`	Avatar for messages
`username`	`Falco Talon`	Username for messages
`footer`	`https://github.com/Issif/falco-talon`	Footer for messages
`format`	`long`	Format for messages (`long	short`)

Example

notifiers:
  slack:
    webhook_url: "https://hooks.slack.com/services/XXXX"
    icon: "https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg"
    username: "Falco Talon"
    footer: "https://github.com/Falco-Talon/falco-talon"
    format: long

Results

with format: short:

images/slack_short.png

with format: long:

images/slack_long.png

`loki`

Parameters

Setting	Default	Description
`url`	n/a	http://{domain or ip}:{port}
`user`	n/a	User for Grafana Logs
`api_key`	n/a	API Key for Grafana Logs
`tenant`	n/a	Add the Tenant header
`custom_headers`	n/a	Custom HTTP Headers

Example

notifiers:
  loki:
    host_port: "https://xxxxx"
    user: "xxxx"
    api_key: "xxxxx"

Result

images/loki_grafana.png

Elasticsearch

Parameters

Setting	Default	Description
`host_port`	n/a	http://{domain or ip}:{port}
`user`	n/a	User
`password`	n/a	Password
`index`	`falco-talon`	Elasticsearch index
`suffix`	`daily`	Date suffix for index rotation : `daily` (default), `monthly`, `annually`, `none`
`create_index_template`	`true`	Create the index template at the init if it doesn’t exist
`number_of_shards`	`3`	Number of shards for the index (if `create_index_template` is `true`)
`number_of_replicas`	`3`	Number of replicas for the index (if `create_index_template` is `true`)
`custom_headers`	n/a	Custom HTTP Headers

Example

notifiers:
  elasticsearch:
    url: "http://localhost:9200"
    create_index_template: true
    number_of_shards: 1
    number_of_replicas: 1

`smtp`

Parameters

Setting	Default	Description
`host_port`	n/a	Host:Port of SMTP server
`user`	n/a	User for SMTP
`password`	n/a	Password for SMTP
`from`	n/a	From
`to`	n/a	To (comma separated list of adresses)
`format`	`html`	Format of the email (`text`, `html`)
`tls`	`false`	Use TLS connection

Example

notifiers:
  smtp:
    host_port: "localhost:1025"
    from: "falco@falcosecurity.org"
    to: "user@test.com, other@test.com"
    user: "xxxx"
    password: "xxxxx"
    format: "html"
    tls: false

Results

with format: html:

./images/smtp_html.png

with format: text:

images/smtp_text.png

`webhook`

Parameters

Setting	Default	Description
`url`	n/a	URL
`http_method`	`POST`	HTTP Method
`user_agent`	`Falco-Talon`	User Agent
`content_type`	`application/json; charset=utf-8`	Content Type
`custom_headers`	n/a	Custom HTTP Headers

Example

notifiers:
  webhook:
    url: "http://xxxx"
    http_method: "POST"
    user_agent: "Falco-Talon"
    content_type: "application/json; charset=utf-8"
    custom_headers:
      Authorization: "Bearer xxxxx"