Spyderbat
Book a DemoStart FreeContact Us
  • Spyderbat Product Docs
  • Getting Started
    • Create an Organization
    • Install the Nano Agent
    • Three Things to Try with Spyderbat Community Edition
    • Manage Users and Roles
  • Installation
    • Spyderbat Nano Agent
      • Kubernetes
        • Pre Deployment Environment Data Collection Script
      • Linux Standalone
      • AWS Unattended Install
        • Secure your Registration Code with AWS Secrets Manager
      • Create a Golden Image with the Nano Agent Pre-Installed
    • Spyderbat AWS Agent
      • AWS Linux VM
      • Kubernetes
      • Configuration Guide - AWS Linux VM
      • Configuration Guide - Kubernetes
    • Install Spyctl CLI
      • Initial Configuration
    • Install Spydertop CLI
    • Install the Spyderbat Event Forwarder
      • Helm Chart
      • Traditional Installer
  • Concepts
    • Guardian & Interceptor
      • Ruleset Policies
      • Workload Policies
    • Flashback (Go Back In Time)
      • Investigations
    • Search
      • Saved Searches
    • Summarize
      • Spydertrace Summarize
    • Dashboards
      • Dashboard Categories
    • Reports
    • Notifications
      • Notification Targets
      • Notification Templates
    • Actions
    • Integrations
      • AWS Integration
      • Spyderbat Event Forwarder
    • Suppression & Tuning
    • Scout (Detections)
      • Custom Flags
  • Tutorials
    • Flashback
      • How to Use the Investigations Feature in Spyderbat
    • Guardian
      • How to Lock Down Your Workloads With Guardian Policies Using Spyctl
      • How to Put Guardrails Around Your K8s Clusters Using Spyctl
    • Integrations
      • How to Configure Event Forwarder Webhook for Panther
      • How to Set Up Spyderbat to Ingest Falco Alerts
      • How to Create and Use a Spyderbat API Key
    • Notifications
      • How to Set Up Notifications Using Spyctl
      • How to Set up Agent-Health Notifications Using Spyctl
    • Dashboards
    • Miscellaneous
      • How to Set Up Spyderbat to Monitor Systems From vulnhub.com
    • Scout (Detections)
      • How to Set Up Custom Flags Using Spyctl CLI
  • Reference
    • Policies
      • Response Actions
    • Rulesets
    • Selectors
    • Notifications
    • Spyctl CLI
      • Spyctl Commands
      • Guardian Policy Management using Spyctl
      • Notification Template Management using Spyctl
      • Notification Target Management using Spyctl
    • Search
      • All Operators
      • All Fields
      • All Related Objects
  • Quick Links
    • Contact Us
    • Try Spyderbat for Free
    • Book a Demo
Powered by GitBook

© SPYDERBAT, Inc., All Rights Reserved

On this page
  • Infrastructure Prerequisites
  • Installing Falco Sidekick Using Helm Chart
  • Validation

Was this helpful?

Export as PDF
  1. Tutorials
  2. Integrations

How to Set Up Spyderbat to Ingest Falco Alerts

Let's talk about the most optimal way to integrate Falco security detections with Spyderbat platform to further enhance the cloud-native runtime security monitoring value of Spyderbat.

Last updated 8 months ago

Was this helpful?

Last Updated: August 16, 2024

You can enhance Spyderbat detections by integrating with the Falco detection rule sets to add more security context to Spyderbat traces and living causal maps, including process details, user sessions, and network connections.

By integrating with Falco Sidekick, you will be able to identify, collect, and send Falco events to the Spyderbat platform and view them as well as take action within Spyderbat UI.

Spyderbat offers a simple deployment approach, and all the needed deployment instructions can be viewed here as well as retrieved via the public GitHub repository.

Infrastructure Prerequisites

As a minimum, the user should have an organization set up in the Spyderbat Community Edition. You can go to and request a free trial to install up to 5 Spyderbat nano agents.

The Spyderbat Nano Agent must be installed on the machines that you wish to monitor using Falco rule sets. The Spyderbat Nano Agent leverages eBPF technology on Linux systems to gather data and forward it to the Spyderbat backend. A full list of supported Linux OS can be found on our website (paragraph 4).

Please refer to on how to install Spyderbat Nano Agent into a Kubernetes cluster.

Falco does not have to be installed in your environment prior to Spyderbat integration, as it will be taken care of as part of the integration process. We will provide instructions below on how to handle the integration without Falco running yet, as well as if Falco is already in place. For reference, here is the available on the Falco Helm chart repository.

Installing Falco Sidekick Using Helm Chart

You can configure the Falco Sidekick daemon to connect Falco to your existing ecosystem, which will allow you to take Falco-generated events and forward them to your Spyderbat platform to be seamlessly integrated with the Spyderbat security content and displayed in the causal activity graphs in Spyderbat Investigation UI to supplement and further enrich Spyderbat output.

If you do not already have Falco installed, you can install it and configure it to use the Spyderbat integration at the same time. First, add the Falco security helm chart repository:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Then, install Falco and the Spyderbat integration with:

helm install falco falcosecurity/falco \
    --create-namespace \
    --namespace falco \
    --set falcosidekick.enabled=true \
    --set falcosidekick.config.spyderbat.orguid="YOUR_ORG_ID" \
    --set falcosidekick.config.spyderbat.apiurl="https://api.spyderbat.com" \
    --set falcosidekick.config.spyderbat.apikey="YOUR_API_KEY" \
    --set extra.args=\{"-p","%proc.pid"\} \
    --set driver.kind=modern_ebpf

If you already have Falco installed through the Helm chart, changing helm install to helm upgrade should update it properly. Make sure to include any existing custom configuration that you are using for Falco or the Sidekick Pod.

The “orguid”, which stands for Unique Organization ID, is specific to your organization and can be retrieved from the Spyderbat UI URL, once you log into your console:

Aside from enabling and configuring the Spyderbat integration, these configuration options enable additional ID information in the Falco event messages that Spyderbat uses to tie them into our existing context. It also sets the driver type to modern_ebpf instead of the default kernel driver. If your machine does not support the new driver, you may need to remove that argument.

  1. Login into the Spyderbat console

  2. Click on your User icon in the upper right corner and go to the “API Keys” section

  3. If you do not have any active API keys, click “+ Create API Key” and save it in your user profile

  4. Once generated, copy the API key into the clipboard:

Validation

If the installation proceeded correctly, you should receive no error messages and can run the following command to validate that all pods deployed successfully:

kubectl get pods --all-namespaces

You should see a similar output generated if everything is working as expected:

Once Falco starts detecting suspicious activity, respective “FALCO” labeled flags will be generated in the Spyderbat data stream and made visible in the Spydergraph Investigation section. These Flags can be located by running a search query. You will select the “Search” option in the left-hand navigation menu, run your search query, and then select a Flag you wish to investigate on a visual causal graph by checking the box and clicking “Start Investigation”:

Once you click the “Start Investigation” button, you will be redirected to the Investigation page where you will be able to see the selected flags and all associated processes as well as other security content:

You can also locate these flags by applying filtering options to our default Flags Dashboard and selecting the flags to start an Investigation this way:

To stay on top of incoming Falco findings, you can create a custom dashboard card to pull in all Falco flags with desired severity by building the following search query for Redflag objects:

short_name = "falco_flag"

Once you have run your search, you can save the output as a custom dashboard card to be easily accessible through the UI:

Falco flags will differ in severity values that are mapped to Spyderbat severity values as follows:

Falco Severity Value
Spyderbat Severity Value

Emergency

Critical

Critical

Critical

Alert

High

Error

High

Warning

Medium

Notice

Low

Informational

Info

Debug

Info

Please refer to the KBA for more information on Spyderbat API use. For your convenience, the main steps for API Key generation are listed below:

Please refer to our for a more detailed walkthrough of the UI and its key functionality.

Note that the free Spyderbat Community account allows you to monitor up to 5 nodes, i.e. register up to 5 sources in the Spyderbat UI. If you have a cluster that contains more than 5 nodes or anticipate scaling up in the near future, please visit to sign up for our Professional tier.

https://www.spyderbat.com/start-free
here
the following guide
official installation guide
“How to Set Up Your Spyderbat API Key and Use the Spyderbat API”
Spyderbat Overview Video
https://www.spyderbat.com/pricing/
Falco new image7 1024x861
Falco How to image1 1024x151
Falco How to image2 1024x251
Falco new image5 1024x344
filtering flags dashboard
An example of searching for Falco objects
An example of a dashboard filtering rule for Falco.
An example search, highlighting the "Save Dashboard Card" button