Skip to content

falcosecurity/falco-talon

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Falco Talon

Falco Ecosystem Repository Incubating Last Release

last commit licence docker pulls

Falco Talon is a Response Engine for managing threats in your Kubernetes. It enhances the solutions proposed by the Falco community with a no-code tailor made solution. With easy rules, you can react to events from Falco in milliseconds.

Architecture

Falco Talon can receive the events from Falco or Falcosidekick:

flowchart LR
    falco
    falcosidekick
    falco-talon
    falco -- event --> falcosidekick
    falco -- event --> falco-talon
    falcosidekick -- event --> falco-talon
    kubernetes -- context --> falco-talon
    falco-talon -- action --> aws
    falco-talon -- output --> minio
    falco-talon -- action --> kubernetes
    falco-talon -- notification --> slack
Loading

Glossary

  • event: an event detected by Falco and sent to its outputs
  • rule: defines criterias for linking the events with the actions to apply
  • action: each rule can sequentially run actions, each action refers to an actionner
  • actionner: defines what the action will do
  • notifier: defines what outputs to notify with the result of the action
  • context: composed of elements from the original Falco event, from Falco Talon and other sources, these elements can be used to dynamically configure the actions to perform.
  • output: defines the target where to store the resulting artifact that might has been created by an actionner

Actionners

The list of the available actionners can be found HERE.

Notifiers

The list of the available actionners can be found HERE.

Outputs

The list of the available outputs can be found HERE.

Configuration

The static configuration of Falco Talon is set with a .yaml file (default: ./config.yaml) or with environment variables.

The list of the available settings can be found HERE.

Rules

You can find how to write your own rules HERE.

Documentation

The full documentation is available on its own website: https://docs.falco-talon.org/docs.

Metrics

Prometheus metrics

The /metrics endpoint exposes some metrics in the Prometheus format. See here.

OTEL metrics

Falco Talon can export its metrics in the OTEL Metrics format. See here.

Traces

Falco Talon can export traces in the OTEL Traces format. See here.

Docker images

The docker images for falco-talon are built using ko

To generate the images to test locally you can run mage buildImagesLocal

Deployment

Helm

The helm chart is available in the repo charts.

Two config files are provided:

  • values.yaml allows you to configure Falcon Talon and the deployment, the list of available values is here
  • rules.yaml contains rules to set
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco-talon falcosecurity/falco -n falco --create-namespace

Configure Falcosidekick

Once you have installed Falco Talon with Helm, you need to connect Falcosidekick by adding the flag --set falcosidekick.config.talon.address=http://falco-talon:2803

helm install falco falcosecurity/falco --namespace falco \
  --create-namespace \
  --set tty=true \
  --set falcosidekick.enabled=true \
  --set falcosidekick.config.talon.address=http://falco-talon:2803

Development

A Docker Compose stack is provided for local developments and tests.

This stack starts these services:

To start the stack:

cd deployment/compose
docker compose up -d

License

Falco Talon is licensed to you under the Apache 2.0 open source license.

Author

Thomas Labarussias (https://github.com/Issif)