Integrations¶
When a detection is made by any of the signatures, it will always be printed to stdout. You can customize the output format using a go template:
tracee-rules --output-template /path/to/my.tmpl
In addition, Tracee can notify a web service when a detection is made using a custom webhook:
tracee-rules --webhook http://my.webhook/endpoint \
--webhook-template /path/to/my.tmpl \
--webhook-content-type application/json
Included Go templates¶
The following Go templates are included in the Tracee container image and are available for use under the /tracee/templates/ directory in the container:
| File name | Description | Content-Type | Source |
|---|---|---|---|
| falcosidekick.tmpl | For compatibility with falcosidekick | application/json |
source |
| rawjson.tmpl | Dumps the Finding object as raw JSON | application/json |
source |
Go Template Authoring¶
When authoring a Go template for either stdout or webhook, you have Tracee's types.Finding struct as the data source:
//Finding is the main output of a signature. It represents a match result for the signature business logic
type Finding struct {
SigMetadata SignatureMetadata //information about the signature that made the detection
Context Event //the raw event that triggered the detection
Data map[string]interface{} //detection specific information
}
The Go template can utilize helper functions from Sprig.
For example templates, see tracee/cmd/tracee-rules/templates.
Prometheus¶
Tracee is enabled for prometheus scraping by default. Scraping can be done through the following URLs:1
1. tracee-ebpf can be scraped through :3366/metrics
2. tracee-rules can be scraped through :4466/metrics
The metrics addresses can be changed through running with the metrics and metrics-addr in the cli.
Examples¶
Raw JSON stdout¶
The following example configures Tracee to output detections to stdout as raw JSON:
docker run --rm -it --privileged --pid=host --cgroupns=host \
-v /lib/modules/:/lib/modules/:ro \
-v /usr/src:/usr/src:ro \
-v /tmp/tracee:/tmp/tracee \
aquasec/tracee:0.7.0 \
--output-template /tracee/templates/rawjson.tmpl
falcosidekick webhook¶
falcosidekick is a useful webhook server that can be configured to connect to various "outputs" such as: Slack, Mattermost, Teams, Datadog, Prometheus, StatsD, Email, Elasticsearch, Loki, PagerDuty, OpsGenie, and many more.
To use Tracee with falcosidekick:
- Obtain connection credentials to the system you want to integrate with.
- Consult the system's documentation and look for how to configure an incoming webhook.
- Start the falcosidekick container, configured with the obtained output credentials:
- See the falcosidekick Readme for full documentation.
- Start Tracee while configuring it to post detections to the falcosidekick endpoint.
- If using Docker, you can use the simple link flag to allow the containers to communicate
- Use the webhook flag to point to the falcosidekick container's endpoint
- Tracee ships with a built-in template for falcosidekick
# Start falcosidekick configured to post to Slack
docker run --name falcosidekick -p 2801:2801 \
-e SLACK_WEBHOOKURL=https://hooks.slack.com/services/XXX/YYY/ZZZ \
falcosecurity/falcosidekick
# Start Tracee, linking it to the falcosidekick container, and configuring it to call it on detections
docker run --name tracee --rm -it --privileged --pid=host --cgroupns=host \
-v /lib/modules/:/lib/modules/:ro \
-v /usr/src:/usr/src:ro \
-v /tmp/tracee:/tmp/tracee \
--link falcosidekick aquasec/tracee:0.7.0 \
--webhook-template /tracee/templates/falcosidekick.tmpl \
--webhook-content-type application/json \
--webhook http://FALCOSIDEKICK:2801