Skip to content

falco-talon/falco-talon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

445 Commits

.github

.github

 
 

actionners

actionners

 
 

cmd

cmd

 
 

configuration

configuration

 
 

deployment/helm

deployment/helm

 
 

internal

internal

 
 

metrics

metrics

 
 

notifiers

notifiers

 
 

utils

utils

 
 

.gitignore

.gitignore

 
 

.golangci.yml

.golangci.yml

 
 

.goreleaser.yml

.goreleaser.yml

 
 

.ko.yaml

.ko.yaml

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

config_example.yaml

config_example.yaml

 
 

examples.txt

examples.txt

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

mageFile.go

mageFile.go

 
 

main.go

main.go

 
 

rules.yaml

rules.yaml

 
 

rules_override.yaml

rules_override.yaml

 
 

Repository files navigation

Falco Talon

Falco Talon is a Response Engine for managing threats in your Kubernetes. It enhances the solutions proposed by the Falco community with a no-code tailor made solution. With easy rules, you can react to events from Falco in milliseconds.

Architecture

Falco Talon can receive the events from Falco or Falcosidekick:

┌──────────┐      ┌───────────────┐      ┌─────────────┐
│  Falco   ├──────► Falcosidekick ├──────► Falco Talon │
└──────────┘      └───────────────┘      └─────────────┘
or
┌──────────┐      ┌─────────────┐
│  Falco   ├──────► Falco Talon │
└──────────┘      └─────────────┘

Glossary

  • event: an event detected by Falco and sent to its outputs
  • rule: defines criterias for linking the events with the actions to apply
  • action: each rule can sequentially run actions, each action refers to an actionner
  • actionner: defines what the action will do
  • notifier: defines what outputs to notify with the result of the action

Actionners

The list of the available actionners can be found HERE.

Notifiers

The list of the available actionners can be found HERE.

Configuration

The static configuration of Falco Talon is set with a .yaml file (default: ./config.yaml) or with environment variables.

The list of the available settings can be found HERE.

Rules

You can find how to write your own rules HERE.

Documentation

The documentation is available on its own website: https://docs.falco-talon.org/docs.

Metrics

The /metrics endpoint exposes some metrics in the Prometheus format. See here.

Docker images

The docker images for falco-talon are built using ko

To generate the images to test locally you can run mage buildImagesLocal

Deployment

Helm

The helm chart is available in the folder deployment/helm. Two config files are provided:

  • values.yaml allows you to configure Falcon Talon and the deployment
  • rules.yaml contains rules to set
cd deployment/helm/
helm install falco-talon . -n falco --create-namespace

Configure Falcosidekick

Once you have installed Falco Talon with Helm, you need to connect Falcosidekick by adding the flag --set falcosidekick.config.webhook.address=http://falco-talon:2803

helm install falco falcosecurity/falco --namespace falco \
  --create-namespace \
  --set tty=true \
  --set falcosidekick.enabled=true \
  --set falcosidekick.config.webhook.address=http://falco-talon:2803

License

MIT

Author

Thomas Labarussias (https://github.com/Issif)

About

Falco Talon is a Response Engine for managing threats in your Kubernetes

docs.falco-talon.org

Topics

kubernetes security falco response-engine

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

73 stars

Watchers

8 watching

Forks

10 forks
Report repository

Releases

4 tags

Packages

No packages published

Contributors 8

Languages