Skip to content

Instantly share code, notes, and snippets.

@Tsuribori

Tsuribori/README.md

Last active May 22, 2021 18:36
Show Gist options
  • Save Tsuribori/67f6017a4c4fddd03f769a99ce3555af to your computer and use it in GitHub Desktop.
Save Tsuribori/67f6017a4c4fddd03f769a99ce3555af to your computer and use it in GitHub Desktop.
Download ZIP
Monitor Falco alerts with Azure Sentinel
Raw
README.md

Monitor Falco alerts with Azure Sentinel

Use Sentinel to consume Falco alerts via falcosidekick webhook and Azure Logic App.

Azure Logic App

Falcosidekick has no native connector to Azure Log Analytics (the backend of Azure Sentinel). However, a Logic App may be used to bridge the webhook sending capability of falcosidekick and Azure Log Analytics. Logic Apps seem to be impossible to share so see the picture below on the triggers and connectors used. The HTTP POST URL is the webhook address to use in falcosidekick.

Falco Setup

After adding the Helm chart the following command can be used to deploy Falco + falcosidekick. Note that you must substitute falcosidekick.config.webhook.address for the value of the HTTP POST URL from the Logic App.

helm install falco falcosecurity/falco --set falcosidekick.enabled=true --set falcosidekick.config.webhook.address="<HTTP POST URL>" --set falcosidekick.config.webhook.minimumpriority=warning

Azure Sentinel Rule

The following KQL query can be used to create an alert rule:

Falco_CL
| where output_s has_any ("emergency", "alert", "critical", "warning")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment