How to Set Up Spyderbat to Ingest Falco Alerts

Last Updated: August 16, 2024

You can enhance Spyderbat detections by integrating with the Falco detection rule sets to add more security context to Spyderbat traces and living causal maps, including process details, user sessions, and network connections.

By integrating with Falco Sidekick, you will be able to identify, collect, and send Falco events to the Spyderbat platform and view them as well as take action within Spyderbat UI.

Spyderbat offers a simple deployment approach, and all the needed deployment instructions can be viewed here as well as retrieved via the public GitHub repository.

Infrastructure Prerequisites

As a minimum, the user should have an organization set up in the Spyderbat Community Edition. You can go to https://www.spyderbat.com/start-free and request a free trial to install up to 5 Spyderbat nano agents.

The Spyderbat Nano Agent must be installed on the machines that you wish to monitor using Falco rule sets. The Spyderbat Nano Agent leverages eBPF technology on Linux systems to gather data and forward it to the Spyderbat backend. A full list of supported Linux OS can be found on our website here (paragraph 4).

Please refer to the following guide on how to install Spyderbat Nano Agent into a Kubernetes cluster.

Falco does not have to be installed in your environment prior to Spyderbat integration, as it will be taken care of as part of the integration process. We will provide instructions below on how to handle the integration without Falco running yet, as well as if Falco is already in place. For reference, here is the official installation guide available on the Falco Helm chart repository.

Installing Falco Sidekick Using Helm Chart

You can configure the Falco Sidekick daemon to connect Falco to your existing ecosystem, which will allow you to take Falco-generated events and forward them to your Spyderbat platform to be seamlessly integrated with the Spyderbat security content and displayed in the causal activity graphs in Spyderbat Investigation UI to supplement and further enrich Spyderbat output.

If you do not already have Falco installed, you can install it and configure it to use the Spyderbat integration at the same time. First, add the Falco security helm chart repository:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Then, install Falco and the Spyderbat integration with:

helm install falco falcosecurity/falco \
    --create-namespace \
    --namespace falco \
    --set falcosidekick.enabled=true \
    --set falcosidekick.config.spyderbat.orguid="YOUR_ORG_ID" \
    --set falcosidekick.config.spyderbat.apiurl="https://api.spyderbat.com" \
    --set falcosidekick.config.spyderbat.apikey="YOUR_API_KEY" \
    --set extra.args=\{"-p","%proc.pid"\} \
    --set driver.kind=modern_ebpf

If you already have Falco installed through the Helm chart, changing helm install to helm upgrade should update it properly. Make sure to include any existing custom configuration that you are using for Falco or the Sidekick Pod.

The “orguid”, which stands for Unique Organization ID, is specific to your organization and can be retrieved from the Spyderbat UI URL, once you log into your console:

Aside from enabling and configuring the Spyderbat integration, these configuration options enable additional ID information in the Falco event messages that Spyderbat uses to tie them into our existing context. It also sets the driver type to modern_ebpf instead of the default kernel driver. If your machine does not support the new driver, you may need to remove that argument.

Please refer to the KBA “How to Set Up Your Spyderbat API Key and Use the Spyderbat API” for more information on Spyderbat API use. For your convenience, the main steps for API Key generation are listed below:

1. Login into the Spyderbat console

2. Click on your User icon in the upper right corner and go to the “API Keys” section

3. If you do not have any active API keys, click “+ Create API Key” and save it in your user profile

4. Once generated, copy the API key into the clipboard:

Validation

If the installation proceeded correctly, you should receive no error messages and can run the following command to validate that all pods deployed successfully:

kubectl get pods --all-namespaces

You should see a similar output generated if everything is working as expected:

Once Falco starts detecting suspicious activity, respective “FALCO” labeled flags will be generated in the Spyderbat data stream and made visible in the Spydergraph Investigation section. These Flags can be located by running a search query. You will select the “Search” option in the left-hand navigation menu, run your search query, and then select a Flag you wish to investigate on a visual causal graph by checking the box and clicking “Start Investigation”:

Once you click the “Start Investigation” button, you will be redirected to the Investigation page where you will be able to see the selected flags and all associated processes as well as other security content:

You can also locate these flags by applying filtering options to our default Flags Dashboard and selecting the flags to start an Investigation this way:

Please refer to our Spyderbat Overview Video for a more detailed walkthrough of the UI and its key functionality.

To stay on top of incoming Falco findings, you can create a custom dashboard card to pull in all Falco flags with desired severity by building the following search query for Redflag objects:

short_name = "falco_flag"

Once you have run your search, you can save the output as a custom dashboard card to be easily accessible through the UI:

Falco flags will differ in severity values that are mapped to Spyderbat severity values as follows:

Note that the free Spyderbat Community account allows you to monitor up to 5 nodes, i.e. register up to 5 sources in the Spyderbat UI. If you have a cluster that contains more than 5 nodes or anticipate scaling up in the near future, please visit https://www.spyderbat.com/pricing/ to sign up for our Professional tier.