List of Notifiers

Available notifiers

k8sevents

This notifiers creates a k8s event in the target resource namespace.

Parameters

No configuration is requested.

Permissions

- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - get
  - update
  - patch
  - create

Result

LAST SEEN   TYPE     REASON                                    OBJECT                      MESSAGE
18s         Normal   falco-talon:kubernetes:label:success      pod/cncf-55696bc998-ql5qd   Status: success...
action: kubernetes:label
apiVersion: v1
eventTime: "2024-02-27T13:54:30.008721Z"
firstTimestamp: null
involvedObject:
  kind: Pod
  name: cncf-55696bc998-ql5qd
  namespace: default
kind: Event
lastTimestamp: null
message: "Status: success\nMessage: action\nRule: Terminal shell in container\nAction:
  Label Pod as Suspicious\nActionner: kubernetes:label\nEvent: A shell was spawned
  in a container with an attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1
  process=sh proc_exepath=/usr/bin/dash parent=runc command=sh -c command -v bash
  >/dev/null && exec bash || exec sh terminal=34817 exe_flags=EXE_WRITABLE container_id=f13c72275fd4
  container_image=docker.io/library/debian container_image_tag=latest container_name=cncf
  k8s_ns=default k8s_pod_name=cncf-55696bc998-ql5qd)\nnamespace: default\npod: cncf-55696bc998-ql5qd\nOutput:
  \nthe pod \"cncf-55696bc998-ql5qd\" in the namespace \"default\" has been labelled\nTraceID:
  cc84de57-7617-4359-ad40-1a7a8d854743\n"
metadata:
  creationTimestamp: "2024-02-27T13:54:30Z"
  generateName: falco-talon-
  name: falco-talon-rf2dz
  namespace: default
  resourceVersion: "32141229"
  uid: a407b246-f2b5-46ba-8146-ebe474302604
reason: falco-talon:kubernetes:label:success
reportingComponent: falcosecurity.org/falco-talon
reportingInstance: falco-talon
source:
  component: falco-talon
type: Normal

slack

Parameters

SettingDefaultDescription
webhook_urln/aWebhook URL
iconhttps://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpgAvatar for messages
usernameFalco TalonUsername for messages
footerhttps://github.com/Issif/falco-talonFooter for messages
formatlongFormat for messages (`longshort`)

Example

notifiers:
  slack:
    webhook_url: "https://hooks.slack.com/services/XXXX"
    icon: "https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg"
    username: "Falco Talon"
    footer: "https://github.com/Falco-Talon/falco-talon"
    format: long

Results

with format: short:

images/slack_short.png

with format: long:

images/slack_long.png

loki

Parameters

SettingDefaultDescription
urln/ahttp://{domain or ip}:{port}
usern/aUser for Grafana Logs
api_keyn/aAPI Key for Grafana Logs
tenantn/aAdd the Tenant header
custom_headersn/aCustom HTTP Headers

Example

notifiers:
  loki:
    host_port: "https://xxxxx"
    user: "xxxx"
    api_key: "xxxxx"

Result

images/loki_grafana.png

Elasticsearch

Parameters

SettingDefaultDescription
host_portn/ahttp://{domain or ip}:{port}
usern/aUser
passwordn/aPassword
indexfalco-talonElasticsearch index
suffixdailyDate suffix for index rotation : daily (default), monthly, annually, none
create_index_templatetrueCreate the index template at the init if it doesn’t exist
number_of_shards3Number of shards for the index (if create_index_template is true)
number_of_replicas3Number of replicas for the index (if create_index_template is true)
custom_headersn/aCustom HTTP Headers

Example

notifiers:
  elasticsearch:
    url: "http://localhost:9200"
    create_index_template: true
    number_of_shards: 1
    number_of_replicas: 1

smtp

Parameters

SettingDefaultDescription
host_portn/aHost:Port of SMTP server
usern/aUser for SMTP
passwordn/aPassword for SMTP
fromn/aFrom
ton/aTo (comma separated list of adresses)
formathtmlFormat of the email (text, html)
tlsfalseUse TLS connection

Example

notifiers:
  smtp:
    host_port: "localhost:1025"
    from: "falco@falcosecurity.org"
    to: "user@test.com, other@test.com"
    user: "xxxx"
    password: "xxxxx"
    format: "html"
    tls: false

Results

with format: html:

./images/smtp_html.png

with format: text:

images/smtp_text.png

webhook

Parameters

SettingDefaultDescription
urln/aURL
http_methodPOSTHTTP Method
user_agentFalco-TalonUser Agent
content_typeapplication/json; charset=utf-8Content Type
custom_headersn/aCustom HTTP Headers

Example

notifiers:
  webhook:
    url: "http://xxxx"
    http_method: "POST"
    user_agent: "Falco-Talon"
    content_type: "application/json; charset=utf-8"
    custom_headers:
      Authorization: "Bearer xxxxx"
Last modified September 24, 2024: fix slack url (f2d89ce)