List of Notifiers

Available notifiers

`k8sevents`

This notifiers creates a k8s event in the target resource namespace.

Parameters

No configuration is requested.

Permissions

- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - get
  - update
  - patch
  - create

Result

LAST SEEN   TYPE     REASON                                    OBJECT                      MESSAGE
18s         Normal   falco-talon:kubernetes:label:success      pod/cncf-55696bc998-ql5qd   Status: success...

action: kubernetes:label
apiVersion: v1
eventTime: "2024-02-27T13:54:30.008721Z"
firstTimestamp: null
involvedObject:
  kind: Pod
  name: cncf-55696bc998-ql5qd
  namespace: default
kind: Event
lastTimestamp: null
message: "Status: success\nMessage: action\nRule: Terminal shell in container\nAction:
  Label Pod as Suspicious\nActionner: kubernetes:label\nEvent: A shell was spawned
  in a container with an attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1
  process=sh proc_exepath=/usr/bin/dash parent=runc command=sh -c command -v bash
  >/dev/null && exec bash || exec sh terminal=34817 exe_flags=EXE_WRITABLE container_id=f13c72275fd4
  container_image=docker.io/library/debian container_image_tag=latest container_name=cncf
  k8s_ns=default k8s_pod_name=cncf-55696bc998-ql5qd)\nnamespace: default\npod: cncf-55696bc998-ql5qd\nOutput:
  \nthe pod \"cncf-55696bc998-ql5qd\" in the namespace \"default\" has been labelled\nTraceID:
  cc84de57-7617-4359-ad40-1a7a8d854743\n"
metadata:
  creationTimestamp: "2024-02-27T13:54:30Z"
  generateName: falco-talon-
  name: falco-talon-rf2dz
  namespace: default
  resourceVersion: "32141229"
  uid: a407b246-f2b5-46ba-8146-ebe474302604
reason: falco-talon:kubernetes:label:success
reportingComponent: falcosecurity.org/falco-talon
reportingInstance: falco-talon
source:
  component: falco-talon
type: Normal

`slack`

Parameters

Setting	Default	Description
`webhook_url`	n/a	Webhook URL
`icon`	`https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg`	Avatar for messages
`username`	`Falco Talon`	Username for messages
`footer`	`https://github.com/Issif/falco-talon`	Footer for messages
`format`	`long`	Format for messages (`long	short`)

Example

notifiers:
  slack:
    webhook_url: "https://hooks.slack.com/services/XXXX"
    icon: "https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg"
    username: "Falco Talon"
    footer: "https://github.com/Falco-Talon/falco-talon"
    format: long

Results

with format: short:

images/slack_short.png

with format: long:

images/slack_long.png

`loki`

Parameters

Setting	Default	Description
`url`	n/a	http://{domain or ip}:{port}
`user`	n/a	User for Grafana Logs
`api_key`	n/a	API Key for Grafana Logs
`tenant`	n/a	Add the Tenant header
`custom_headers`	n/a	Custom HTTP Headers

Example

notifiers:
  loki:
    host_port: "https://xxxxx"
    user: "xxxx"
    api_key: "xxxxx"

Result

images/loki_grafana.png

Elasticsearch

Parameters

Setting	Default	Description
`host_port`	n/a	http://{domain or ip}:{port}
`user`	n/a	User
`password`	n/a	Password
`index`	`falco-talon`	Elasticsearch index
`suffix`	`daily`	Date suffix for index rotation : `daily` (default), `monthly`, `annually`, `none`
`create_index_template`	`true`	Create the index template at the init if it doesn’t exist
`number_of_shards`	`3`	Number of shards for the index (if `create_index_template` is `true`)
`number_of_replicas`	`3`	Number of replicas for the index (if `create_index_template` is `true`)
`custom_headers`	n/a	Custom HTTP Headers

Example

notifiers:
  elasticsearch:
    url: "http://localhost:9200"
    create_index_template: true
    number_of_shards: 1
    number_of_replicas: 1

`smtp`

Parameters

Setting	Default	Description
`host_port`	n/a	Host:Port of SMTP server
`user`	n/a	User for SMTP
`password`	n/a	Password for SMTP
`from`	n/a	From
`to`	n/a	To (comma separated list of adresses)
`format`	`html`	Format of the email (`text`, `html`)
`tls`	`false`	Use TLS connection

Example

notifiers:
  smtp:
    host_port: "localhost:1025"
    from: "falco@falcosecurity.org"
    to: "user@test.com, other@test.com"
    user: "xxxx"
    password: "xxxxx"
    format: "html"
    tls: false

Results

with format: html:

./images/smtp_html.png

with format: text:

images/smtp_text.png

`webhook`

Parameters

Setting	Default	Description
`url`	n/a	URL
`http_method`	`POST`	HTTP Method
`user_agent`	`Falco-Talon`	User Agent
`content_type`	`application/json; charset=utf-8`	Content Type
`custom_headers`	n/a	Custom HTTP Headers

Example

notifiers:
  webhook:
    url: "http://xxxx"
    http_method: "POST"
    user_agent: "Falco-Talon"
    content_type: "application/json; charset=utf-8"
    custom_headers:
      Authorization: "Bearer xxxxx"

Last modified September 24, 2024: fix slack url (f2d89ce)