Runtime Security Alerting
Runtime security alerting enables real-time notifications when potentially malicious activity is detected in your environment.
Falco Alerting
Section titled “Falco Alerting”Default Rules and Events
Section titled “Default Rules and Events”UDS Core ships Falco with stable default rules that detect common security threats such as:
- Privilege escalation attempts
- Unauthorized file access
- Suspicious network activity
- Container breakout attempts
See more about default rules in the Falco documentation.
Additional Rulesets
Section titled “Additional Rulesets”Enabling and Configuring Rulesets
Section titled “Enabling and Configuring Rulesets”To enable the sandbox and incubating rulesets and exclude specific rules, override the extraRules
value in your UDS Core bundle:
overrides: falco: uds-falco-config: values: - path: "sandboxRulesEnabled" value: true - path: "incubatingRulesEnabled" value: true - path: "disabledRules" value: ["Write below root", "Read environment variable from /proc files"]
This configuration:
- Enables the sandbox ruleset while excluding the “Write below root” rule.
- Enables the incubating ruleset while excluding the “Read environment variable from /proc files” rule.
Finding Rule Names for disabledRules
Section titled “Finding Rule Names for disabledRules”The rule names used in the disabledRules
array should match the rule
field from the Falco rules files. disabledRules
applies to all rulesets from falco, including the default rules and any additional rulesets you enable. You can find these rule names in the following locations:
- From Falco Official Documentation:
-
In the rule files shipped with UDS Core:
- Sandbox rules:
src/falco/chart/rules/sandbox-rules.yaml
- Incubating rules:
src/falco/chart/rules/incubating-rules.yaml
Look for entries that start with
- rule:
to find the rule names. - Sandbox rules:
-
From Falco logs: When Falco detects an event, it logs the rule name in the output. You can find these logs by querying Loki with:
{rule=~".+"}
Querying Events with Loki
Section titled “Querying Events with Loki”By default, Falco generates events for rule violations and ships them to Loki for centralized log aggregation and querying.
You can query Falco events in Grafana Explore using the Loki data source with the following query:
{priority=~".+"}
This query retrieves all Falco events with any priority level. You can filter further by specific priorities or rules such as:
{priority="Warning"}{rule="Search Private Keys or Passwords"}
Grafana Dashboards
Section titled “Grafana Dashboards”The upstream Falco helm chart includes a Grafana dashboard out of the box for visualizing security events logs for Falcosidekick. The dashboard Falco Logs
is automatically available in Grafana when Falco is deployed and can be accessed through the standard UDS Core Grafana interface.
External Alert Forwarding
Section titled “External Alert Forwarding”While Loki integration provides centralized logging of Falco events, it’s recommended to configure external alert forwarding using Falco Sidekick’s native output forwarding for real-time notifications. It is generally a good idea to send these alerts to a messaging platform like Slack, Microsoft Teams where these security events can be more visbile to relevant teams.
Slack Integration
Section titled “Slack Integration”To configure Slack alerts for Falco events, add the following bundle overrides:
packages: - name: core repository: oci://ghcr.io/defenseunicorns/packages/uds/core ref: x.x.x-upstream optionalComponents: - falco overrides: falco: falco: values: - path: falcosidekick.config.slack value: slack: # -- Slack Webhook URL (ex: <https://hooks.slack.com/services/XXXX/YYYY/ZZZZ>), if not `empty`, Slack output is *enabled* webhookurl: "<YOUR_WEBHOOK_SECRET>" # -- Slack channel (optional) channel: "#<YOUR_SLACK_CHANNEL>" # -- Slack Footer (optional) footer: "" # -- Slack icon (optional) icon: "" # -- Slack username (optional) username: "" # -- `all` (default), `text` (only text is displayed in Slack), `fields` (only fields are displayed in Slack) outputformat: "all" # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` minimumpriority: "notice" # -- a Go template to format Slack Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment messageformat: "" uds-falco-config: values: - path: additionalNetworkAllow value: - direction: Egress selector: app.kubernetes.io/name: falcosidekick ports: - 443 remoteHost: api.slack.com remoteProtocol: TLS description: "Allow egress Falco Sidekick to Slack API"
This configuration will send Falco alerts with priority “notice” and above to your specified Slack channel.
Mattermost Integration
Section titled “Mattermost Integration”To configure Mattermost alerts for Falco events, add the following bundle overrides:
packages: - name: core repository: oci://ghcr.io/defenseunicorns/packages/uds/core ref: x.x.x-upstream optionalComponents: - falco overrides: falco: falco: values: - path: falcosidekick.config.mattermost value: mattermost: # -- Mattermost Webhook URL (ex: <https://your.mattermost.instance/hooks/YYYY>), if not `empty`, Mattermost output is *enabled* webhookurl: "<YOUR_WEBHOOK_SECRET>" # -- Mattermost Footer (optional) footer: "" # -- Mattermost icon (avatar) (optional) icon: "" # -- Mattermost username (optional) username: "" # -- `all` (default), `text` (only text is displayed in Mattermost), `fields` (only fields are displayed in Mattermost) outputformat: "all" # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` minimumpriority: "notice" # -- a Go template to format Mattermost Text above Attachment, displayed in addition to the output from `mattermost.outputformat`. If empty, no Text is displayed before Attachment messageformat: "" uds-falco-config: values: - path: additionalNetworkAllow value: - direction: Egress selector: app.kubernetes.io/name: falcosidekick ports: - 443 remoteHost: your.mattermost.instance # replace with your Mattermost hostname remoteProtocol: TLS description: "Allow egress Falco Sidekick to Mattermost instance"
This configuration will send Falco alerts with priority “notice” and above to your specified Mattermost instance.
Microsoft Teams Integration
Section titled “Microsoft Teams Integration”To configure Microsoft Teams alerts for Falco events, add the following bundle overrides:
packages: - name: core repository: oci://ghcr.io/defenseunicorns/packages/uds/core ref: x.x.x-upstream optionalComponents: - falco overrides: falco: falco: values: - path: falcosidekick.config.teams value: teams: # -- Teams Webhook URL (ex: <https://outlook.office.com/webhook/XXXXXX/IncomingWebhook/YYYYYY>), if not `empty`, Teams output is *enabled* webhookurl: "<YOUR_WEBHOOK_SECRET>" # -- Teams section image (optional) activityimage: "" # -- `all` (default), `text` (only text is displayed in Teams), `facts` (only facts are displayed in Teams) outputformat: "all" # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` minimumpriority: "notice" uds-falco-config: values: - path: additionalNetworkAllow value: - direction: Egress selector: app.kubernetes.io/name: falcosidekick ports: - 443 remoteHost: outlook.office.com remoteProtocol: TLS description: "Allow egress Falco Sidekick to Microsoft Teams"
This configuration will send Falco alerts with priority “notice” and above to your specified Microsoft Teams channel.