Detections: Deliver using Falcosidekick¶
Falcosidekick
Falcosidekick is a useful webhook server that can be configured to connect to various "outputs" such as: Slack, Mattermost, Teams, Datadog, Prometheus, StatsD, Email, Elasticsearch, Loki, PagerDuty, OpsGenie, and many more.
To use Tracee with Falcosidekick:
-
Obtain connection credentials to the system you want to integrate with.
- Consult the system's documentation and look for how to configure an incoming webhook.
-
Start the Falcosidekick container, configured with the obtained output credentials:
- See the Falcosidekick Readme for full documentation.
-
Start Tracee while configuring it to post detections to the Falcosidekick endpoint.
- If using Docker, you can use the simple link flag to allow the containers to communicate
- Use the webhook flag to point to the Falcosidekick container's endpoint
- Tracee ships with a built-in template for Falcosidekick
Example
-
Start Falcosidekick configured to post to Slack:
docker run --name falcosidekick -p 2801:2801 \ -e SLACK_WEBHOOKURL=https://hooks.slack.com/services/XXX/YYY/ZZZ \ falcosecurity/falcosidekick
-
Start Tracee, linking it to the Falcosidekick container, and configuring it to call it on detections:
$ docker run \ --name tracee --rm -it \ --pid=host --cgroupns=host --privileged \ -v /etc/os-release:/etc/os-release-host:ro \ -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \ --link falcosidekick aquasec/tracee:0.8.1 \ --webhook-template /tracee/templates/falcosidekick.tmpl \ --webhook-content-type application/json \ --webhook http://FALCOSIDEKICK:2801