Falco Integration
Runtime security alerts from Falco correlated with infrastructure metrics in TigerOps. Unify security and performance observability to understand the full context of every security event.
How It Works
Deploy Falco with HTTP Output
Deploy Falco on your Kubernetes nodes or Linux hosts. Configure the Falco HTTP output plugin to forward security alerts to the TigerOps Falco ingestion endpoint in real time.
Configure Alert Routing
Use Falco sidekick to route alerts to TigerOps. Falcosidekick supports sending JSON-formatted alert payloads to TigerOps with rule name, priority, output fields, and container metadata.
Map Alerts to Workloads
TigerOps extracts container.id, k8s.pod.name, and k8s.namespace.name from Falco output fields. Alerts are automatically associated with the corresponding Kubernetes workload metrics.
Correlate with Infrastructure Events
TigerOps correlates Falco alerts with CPU spikes, network anomalies, and process metric changes on the same node. AI identifies whether a security event caused or resulted from a performance anomaly.
What You Get Out of the Box
Real-Time Security Alert Ingestion
Ingest Falco alerts with full rule context — rule name, priority (emergency/alert/critical/error/warning), output fields, and Falco tags. All fields are indexed for fast searching and correlation.
Container Runtime Context Correlation
Falco alert output fields (container.id, container.image, proc.name, proc.cmdline) are correlated with pod-level CPU, memory, and network metrics from the same workload in TigerOps.
Privileged Container and Escape Detection
Track Falco rules that detect privileged container use, host namespace access, and container breakout attempts. TigerOps alerts immediately and shows which node and pod triggered the detection.
Anomalous Network Activity Alerting
Correlate Falco network-related rules (unexpected outbound connection, port scan detection) with network interface metrics from the same node. Distinguish legitimate traffic spikes from malicious connections.
Falco Rule Trigger Rate Analytics
Track how frequently each Falco rule fires per namespace, node, and workload over time. Identify noisy rules that need tuning and anomalous spikes in specific rule categories.
Security-Performance Unified Timeline
TigerOps overlays Falco security events on performance metric timelines. See if a Falco alert preceded a CPU spike, or if a performance anomaly was followed by suspicious process activity on the same host.
Falcosidekick Configuration for TigerOps
Deploy Falcosidekick with TigerOps webhook output alongside Falco in Kubernetes.
# Falco + Falcosidekick Helm values
# helm repo add falcosecurity https://falcosecurity.github.io/charts
# helm install falco falcosecurity/falco -f falco-values.yaml
# helm install falcosidekick falcosecurity/falcosidekick -f falcosidekick-values.yaml
# falco-values.yaml: enable JSON output and gRPC for sidekick
falco:
jsonOutput: true
jsonIncludeOutputProperty: true
grpc:
enabled: true
grpcOutput:
enabled: true
# falcosidekick-values.yaml
config:
# TigerOps webhook destination
webhook:
address: https://ingest.atatus.net/falco/alerts
method: POST
headers:
Authorization: "Bearer ${TIGEROPS_API_KEY}"
checkcert: true
minimumpriority: warning
# Enrich with Kubernetes metadata
customfields:
cluster: production
region: us-east-1
# Also send to Slack for high-priority alerts (optional)
slack:
webhookurl: ${SLACK_WEBHOOK_URL}
minimumpriority: critical
replicaCount: 2
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "2801"Common Questions
How does Falco send alerts to TigerOps?
Use Falcosidekick with the webhook output configured to https://ingest.atatus.net/falco/alerts. Falcosidekick enriches alerts with Kubernetes metadata (pod, namespace, deployment) before forwarding to TigerOps.
Does TigerOps support all Falco priority levels?
Yes. TigerOps ingests all Falco priorities: Emergency, Alert, Critical, Error, Warning, Notice, Informational, and Debug. Configure TigerOps alert policies to route high-priority Falco events to your incident management system.
Can TigerOps correlate Falco alerts with specific Kubernetes workloads?
Yes. TigerOps extracts k8s.pod.name, k8s.namespace.name, and k8s.deployment.name from Falco output fields. These are matched to Kubernetes workload metrics from the same namespace and pod for unified context.
How do I reduce Falco alert noise in TigerOps?
Use Falco rule exceptions and priority adjustments to suppress known-good behaviors before alerts reach TigerOps. Alternatively, configure TigerOps ingestion filters to drop Debug and Informational alerts while retaining Warning and above.
Can TigerOps alert me on spikes in Falco rule trigger rates?
Yes. TigerOps tracks Falco alert rates per rule and per namespace over time. AI anomaly detection fires when a rule's trigger rate deviates significantly from its baseline — catching emerging attack patterns or misconfigured workloads.
Understand Security Events in Full Infrastructure Context
Falco alerts correlated with pod metrics, node resources, and deployment events. Security observability without silos.