Falco Talon
is a Response Engine for managing threats in your Kubernetes. It enhances the solutions proposed by the Falco community with a no-code tailor made solution. With easy rules, you can react to events
from Falco
in milliseconds.
Falco Talon
can receive the events
from Falco
or Falcosidekick
:
flowchart LR
falco
falcosidekick
falco-talon
falco -- event --> falcosidekick
falco -- event --> falco-talon
falcosidekick -- event --> falco-talon
kubernetes -- context --> falco-talon
falco-talon -- action --> aws
falco-talon -- output --> minio
falco-talon -- action --> kubernetes
falco-talon -- notification --> slack
event
: an event detected byFalco
and sent to its outputsrule
: defines criterias for linking the events with the actions to applyaction
: each rule can sequentially run actions, each action refers to an actionneractionner
: defines what the action will donotifier
: defines what outputs to notify with the result of the actioncontext
: composed of elements from the original Falco event, from Falco Talon and other sources, these elements can be used to dynamically configure the actions to perform.output
: defines the target where to store the resulting artifact that might has been created by an actionner
The list of the available actionners can be found HERE.
The list of the available actionners can be found HERE.
The list of the available outputs can be found HERE.
The static configuration of Falco Talon
is set with a .yaml
file (default: ./config.yaml
) or with environment variables.
The list of the available settings can be found HERE.
You can find how to write your own rules HERE.
The full documentation is available on its own website: https://docs.falco-talon.org/docs.
The /metrics
endpoint exposes some metrics in the Prometheus format. See here.
Falco Talon
can export its metrics in the OTEL Metrics format. See here.
Falco Talon
can export traces in the OTEL Traces format. See here.
The docker images for falco-talon
are built using ko
To generate the images to test locally you can run mage buildImagesLocal
The helm chart is available in the repo charts
.
Two config files are provided:
values.yaml
allows you to configureFalcon Talon
and the deployment, the list of available values is hererules.yaml
contains rules to set
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco-talon falcosecurity/falco -n falco --create-namespace
Once you have installed Falco Talon
with Helm, you need to connect Falcosidekick
by adding the flag --set falcosidekick.config.talon.address=http://falco-talon:2803
helm install falco falcosecurity/falco --namespace falco \
--create-namespace \
--set tty=true \
--set falcosidekick.enabled=true \
--set falcosidekick.config.talon.address=http://falco-talon:2803
A Docker Compose stack is provided for local developments and tests.
This stack starts these services:
- Grafana: accessible at http://localhost:3000
- OTEL Collector
- Prometheus: accessible at http://localhost:9090
- Grafana Tempo
- Minio: accessible at http://localhost:9001 (root/changeme123)
To start the stack:
cd deployment/compose
docker compose up -d
Falco Talon is licensed to you under the Apache 2.0 open source license.
Thomas Labarussias (https://github.com/Issif)