Use Sentinel to consume Falco alerts via falcosidekick webhook and Azure Logic App.
Falcosidekick has no native connector to Azure Log Analytics (the backend of Azure Sentinel). However,
a Logic App may be used to bridge the webhook sending capability of falcosidekick and Azure Log Analytics.
Logic Apps seem to be impossible to share so see the picture below on the triggers and connectors used.
The HTTP POST URL
is the webhook address to use in falcosidekick.
After adding the Helm chart the following command can be used to deploy Falco + falcosidekick. Note that you must substitute
falcosidekick.config.webhook.address
for the value of the HTTP POST URL
from the Logic App.
helm install falco falcosecurity/falco --set falcosidekick.enabled=true --set falcosidekick.config.webhook.address="<HTTP POST URL>" --set falcosidekick.config.webhook.minimumpriority=warning
The following KQL query can be used to create an alert rule:
Falco_CL
| where output_s has_any ("emergency", "alert", "critical", "warning")