[ESS] [8.16] Ingest Sysdig Falco data to Elasticsearch

[benironside]

Fixes #6004 by creating a new guide for ingesting third-party alert data from cloud security tool Sysdig Falco, and a new section that contains that guide.

Previews: Ingest Falco data; Ingest third-party cloud security data

[github-actions]

A documentation preview will be available soon.

• 🔨 Buildkite builds
• 📚 HTML diff
• 📙 Preview page

Request a new doc build by commenting

• Rebuild this PR: run docs-build
• Rebuild this PR and all Elastic docs: run docs-build rebuild

_{run docs-build is much faster than run docs-build rebuild. A rebuild should only be needed in rare situations.}

_{If your PR continues to fail for an unknown reason, the doc build pipeline may be broken. Elastic employees can check the pipeline status here.}

[nick-alayil]

Overall this is an awesome start 🚀 , @benironside. Your efforts are much appreciated 🙏. .

[nick-alayil]

You can add the following env vars to this list:

ELASTICSEARCH_APIKEY : The preferred way to connect to ES over username and password. Note that support for this env var is added post falcosidekick v2.29, which is the current latest as of writing this. But you could use it with Falcosidekick docker container as docker images with changes are pushed to falcosidekick docker hub much faster.

ELASTICSEARCH_INDEX : The most important thing is to set the index to match logs-falco.alerts-* . This is what the Falco ingest pipeline will match on.

Also worth mentioning that ELASTICSEARCH_USERNAME and ELASTICSEARCH_PASSWORD are only supported in ECH/ESS and not in serverless Elastic Cloud.

I'm intentionally not commenting on ELASTICSEARCH_MUTUALTLS and ELASTICSEARCH_CHECKCERT as I'm not 💯 certain on reasons for using it. I'll check with the team and get back on this.

[benironside]

continuing this work in #6046 since it touched related pages

[benironside]

closing this issue since the work was added to #6046