Skip to content

Runtime Security Alerting

Runtime security alerting enables real-time notifications when potentially malicious activity is detected in your environment.

UDS Core ships Falco with stable default rules that detect common security threats such as:

  • Privilege escalation attempts
  • Unauthorized file access
  • Suspicious network activity
  • Container breakout attempts

See more about default rules in the Falco documentation.

To enable the sandbox and incubating rulesets and exclude specific rules, override the extraRules value in your UDS Core bundle:

overrides:
falco:
uds-falco-config:
values:
- path: "sandboxRulesEnabled"
value: true
- path: "incubatingRulesEnabled"
value: true
- path: "disabledRules"
value: ["Write below root", "Read environment variable from /proc files"]

This configuration:

  1. Enables the sandbox ruleset while excluding the “Write below root” rule.
  2. Enables the incubating ruleset while excluding the “Read environment variable from /proc files” rule.

The rule names used in the disabledRules array should match the rule field from the Falco rules files. disabledRules applies to all rulesets from falco, including the default rules and any additional rulesets you enable. You can find these rule names in the following locations:

  1. From Falco Official Documentation:
  1. In the rule files shipped with UDS Core:

    Look for entries that start with - rule: to find the rule names.

  2. From Falco logs: When Falco detects an event, it logs the rule name in the output. You can find these logs by querying Loki with:

    {rule=~".+"}

By default, Falco generates events for rule violations and ships them to Loki for centralized log aggregation and querying.

You can query Falco events in Grafana Explore using the Loki data source with the following query:

{priority=~".+"}

This query retrieves all Falco events with any priority level. You can filter further by specific priorities or rules such as:

{priority="Warning"}
{rule="Search Private Keys or Passwords"}

The upstream Falco helm chart includes a Grafana dashboard out of the box for visualizing security events logs for Falcosidekick. The dashboard Falco Logs is automatically available in Grafana when Falco is deployed and can be accessed through the standard UDS Core Grafana interface.

While Loki integration provides centralized logging of Falco events, it’s recommended to configure external alert forwarding using Falco Sidekick’s native output forwarding for real-time notifications. It is generally a good idea to send these alerts to a messaging platform like Slack, Microsoft Teams where these security events can be more visbile to relevant teams.

To configure Slack alerts for Falco events, add the following bundle overrides:

packages:
- name: core
repository: oci://ghcr.io/defenseunicorns/packages/uds/core
ref: x.x.x-upstream
optionalComponents:
- falco
overrides:
falco:
falco:
values:
- path: falcosidekick.config.slack
value:
slack:
# -- Slack Webhook URL (ex: <https://hooks.slack.com/services/XXXX/YYYY/ZZZZ>), if not `empty`, Slack output is *enabled*
webhookurl: "<YOUR_WEBHOOK_SECRET>"
# -- Slack channel (optional)
channel: "#<YOUR_SLACK_CHANNEL>"
# -- Slack Footer (optional)
footer: ""
# -- Slack icon (optional)
icon: ""
# -- Slack username (optional)
username: ""
# -- `all` (default), `text` (only text is displayed in Slack), `fields` (only fields are displayed in Slack)
outputformat: "all"
# -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""`
minimumpriority: "notice"
# -- a Go template to format Slack Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment
messageformat: ""
uds-falco-config:
values:
- path: additionalNetworkAllow
value:
- direction: Egress
selector:
app.kubernetes.io/name: falcosidekick
ports:
- 443
remoteHost: api.slack.com
remoteProtocol: TLS
description: "Allow egress Falco Sidekick to Slack API"

This configuration will send Falco alerts with priority “notice” and above to your specified Slack channel.

To configure Mattermost alerts for Falco events, add the following bundle overrides:

packages:
- name: core
repository: oci://ghcr.io/defenseunicorns/packages/uds/core
ref: x.x.x-upstream
optionalComponents:
- falco
overrides:
falco:
falco:
values:
- path: falcosidekick.config.mattermost
value:
mattermost:
# -- Mattermost Webhook URL (ex: <https://your.mattermost.instance/hooks/YYYY>), if not `empty`, Mattermost output is *enabled*
webhookurl: "<YOUR_WEBHOOK_SECRET>"
# -- Mattermost Footer (optional)
footer: ""
# -- Mattermost icon (avatar) (optional)
icon: ""
# -- Mattermost username (optional)
username: ""
# -- `all` (default), `text` (only text is displayed in Mattermost), `fields` (only fields are displayed in Mattermost)
outputformat: "all"
# -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""`
minimumpriority: "notice"
# -- a Go template to format Mattermost Text above Attachment, displayed in addition to the output from `mattermost.outputformat`. If empty, no Text is displayed before Attachment
messageformat: ""
uds-falco-config:
values:
- path: additionalNetworkAllow
value:
- direction: Egress
selector:
app.kubernetes.io/name: falcosidekick
ports:
- 443
remoteHost: your.mattermost.instance # replace with your Mattermost hostname
remoteProtocol: TLS
description: "Allow egress Falco Sidekick to Mattermost instance"

This configuration will send Falco alerts with priority “notice” and above to your specified Mattermost instance.

To configure Microsoft Teams alerts for Falco events, add the following bundle overrides:

packages:
- name: core
repository: oci://ghcr.io/defenseunicorns/packages/uds/core
ref: x.x.x-upstream
optionalComponents:
- falco
overrides:
falco:
falco:
values:
- path: falcosidekick.config.teams
value:
teams:
# -- Teams Webhook URL (ex: <https://outlook.office.com/webhook/XXXXXX/IncomingWebhook/YYYYYY>), if not `empty`, Teams output is *enabled*
webhookurl: "<YOUR_WEBHOOK_SECRET>"
# -- Teams section image (optional)
activityimage: ""
# -- `all` (default), `text` (only text is displayed in Teams), `facts` (only facts are displayed in Teams)
outputformat: "all"
# -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""`
minimumpriority: "notice"
uds-falco-config:
values:
- path: additionalNetworkAllow
value:
- direction: Egress
selector:
app.kubernetes.io/name: falcosidekick
ports:
- 443
remoteHost: outlook.office.com
remoteProtocol: TLS
description: "Allow egress Falco Sidekick to Microsoft Teams"

This configuration will send Falco alerts with priority “notice” and above to your specified Microsoft Teams channel.