feat: falco integration #1091

New issue

Closed

opened 2026-03-28 04:31:35 +00:00 by mfreeman451 · 0 comments

mfreeman451 commented

2026-03-28 04:31:35 +00:00

Owner

Imported from GitHub.

Original GitHub issue: #2985
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/issues/2985
Original created: 2026-03-03T06:24:39Z

Is your feature request related to a problem?

We've got the falco sidekick sidecar writing logs to NATS JetStream, now we need to integrate that into ServiceRadar:

Elixir/Broadway consumer to write messages to OCSF events table in web-ng

serviceradar-tools-5b587d46dc-dsx4m:/# nats stream ls
╭─────────────────────────────────────────────────────────────────────────────────────────╮
│                                         Streams                                         │
├─────────────────┬─────────────┬─────────────────────┬──────────┬─────────┬──────────────┤
│ Name            │ Description │ Created             │ Messages │ Size    │ Last Message │
├─────────────────┼─────────────┼─────────────────────┼──────────┼─────────┼──────────────┤
│ ARANCINI_CAUSAL │             │ 2026-02-19 22:30:14 │ 63       │ 20 KiB  │ 1h32m5s      │
│ falco_events    │             │ 2026-03-03 05:39:46 │ 167      │ 269 KiB │ 21.28s       │
│ events          │             │ 2026-02-27 09:02:43 │ 2,664    │ 38 MiB  │ 91ms         │
╰─────────────────┴─────────────┴─────────────────────┴──────────┴─────────┴──────────────╯

[9] Subject: falco.notice.contact_k8s_api_server_from_container Received: 2026-03-03 05:56:44
{"uuid":"6c226df2-9877-4630-b9f4-c419a88599e1","output":"05:56:44.079252771: Notice Unexpected connection to K8s API Server from container | connection=10.42.202.216:50460-\u003e10.43.0.1:443 lport=50460 rport=443 fd_type=ipv4 fd_proto=tcp evt_type=connect user=\u003cNA\u003e user_uid=472 user_loginuid=-1 process=python proc_exepath=/usr/local/bin/python3.13 parent=python command=python -u /app/sidecar.py terminal=0 container_id=ec56370f8d11 container_name=grafana-sc-datasources container_image_repository=quay.io/kiwigrid/k8s-sidecar container_image_tag=1.30.0 k8s_pod_name=kube-prom-grafana-85d59d85f9-gg6zz k8s_ns_name=monitoring","priority":"Notice","rule":"Contact K8S API Server From Container","time":"2026-03-03T05:56:44.079252771Z","output_fields":{"container.id":"ec56370f8d11","container.image.repository":"quay.io/kiwigrid/k8s-sidecar","container.image.tag":"1.30.0","container.name":"grafana-sc-datasources","evt.time":1772517404079252771,"evt.type":"connect","fd.l4proto":"tcp","fd.lport":50460,"fd.name":"10.42.202.216:50460-\u003e10.43.0.1:443","fd.rport":443,"fd.type":"ipv4","k8s.ns.name":"monitoring","k8s.pod.name":"kube-prom-grafana-85d59d85f9-gg6zz","proc.cmdline":"python -u /app/sidecar.py","proc.exepath":"/usr/local/bin/python3.13","proc.name":"python","proc.pname":"python","proc.tty":0,"user.loginuid":-1,"user.name":"\u003cNA\u003e","user.uid":472},"source":"syscall","tags":["","T1565","container","k8s","maturity_stable","mitre_discovery","network"],"hostname":"k8s-cp2-worker2"}


[10] Subject: falco.notice.contact_k8s_api_server_from_container Received: 2026-03-03 05:56:49
{"uuid":"0e688e1a-57a1-4237-84c7-175d78619c2d","output":"05:56:49.684779242: Notice Unexpected connection to K8s API Server from container | connection=10.42.202.216:50462-\u003e10.43.0.1:443 lport=50462 rport=443 fd_type=ipv4 fd_proto=tcp evt_type=connect user=\u003cNA\u003e user_uid=472 user_loginuid=-1 process=python proc_exepath=/usr/local/bin/python3.13 parent=python command=python -u /app/sidecar.py terminal=0 container_id=58e2e912cc62 container_name=grafana-sc-dashboard container_image_repository=quay.io/kiwigrid/k8s-sidecar container_image_tag=1.30.0 k8s_pod_name=kube-prom-grafana-85d59d85f9-gg6zz k8s_ns_name=monitoring","priority":"Notice","rule":"Contact K8S API Server From Container","time":"2026-03-03T05:56:49.684779242Z","output_fields":{"container.id":"58e2e912cc62","container.image.repository":"quay.io/kiwigrid/k8s-sidecar","container.image.tag":"1.30.0","container.name":"grafana-sc-dashboard","evt.time":1772517409684779242,"evt.type":"connect","fd.l4proto":"tcp","fd.lport":50462,"fd.name":"10.42.202.216:50462-\u003e10.43.0.1:443","fd.rport":443,"fd.type":"ipv4","k8s.ns.name":"monitoring","k8s.pod.name":"kube-prom-grafana-85d59d85f9-gg6zz","proc.cmdline":"python -u /app/sidecar.py","proc.exepath":"/usr/local/bin/python3.13","proc.name":"python","proc.pname":"python","proc.tty":0,"user.loginuid":-1,"user.name":"\u003cNA\u003e","user.uid":472},"source":"syscall","tags":["","T1565","container","k8s","maturity_stable","mitre_discovery","network"],"hostname":"k8s-cp2-worker2"}

Describe the solution you'd like

A clear and concise description of what you want to happen.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.

Imported from GitHub. Original GitHub issue: #2985 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/issues/2985 Original created: 2026-03-03T06:24:39Z --- **Is your feature request related to a problem?** We've got the falco sidekick sidecar writing logs to NATS JetStream, now we need to integrate that into ServiceRadar: - [ ] Elixir/Broadway consumer to write messages to OCSF events table in web-ng ``` serviceradar-tools-5b587d46dc-dsx4m:/# nats stream ls ╭─────────────────────────────────────────────────────────────────────────────────────────╮ │ Streams │ ├─────────────────┬─────────────┬─────────────────────┬──────────┬─────────┬──────────────┤ │ Name │ Description │ Created │ Messages │ Size │ Last Message │ ├─────────────────┼─────────────┼─────────────────────┼──────────┼─────────┼──────────────┤ │ ARANCINI_CAUSAL │ │ 2026-02-19 22:30:14 │ 63 │ 20 KiB │ 1h32m5s │ │ falco_events │ │ 2026-03-03 05:39:46 │ 167 │ 269 KiB │ 21.28s │ │ events │ │ 2026-02-27 09:02:43 │ 2,664 │ 38 MiB │ 91ms │ ╰─────────────────┴─────────────┴─────────────────────┴──────────┴─────────┴──────────────╯ ``` ``` [9] Subject: falco.notice.contact_k8s_api_server_from_container Received: 2026-03-03 05:56:44 {"uuid":"6c226df2-9877-4630-b9f4-c419a88599e1","output":"05:56:44.079252771: Notice Unexpected connection to K8s API Server from container | connection=10.42.202.216:50460-\u003e10.43.0.1:443 lport=50460 rport=443 fd_type=ipv4 fd_proto=tcp evt_type=connect user=\u003cNA\u003e user_uid=472 user_loginuid=-1 process=python proc_exepath=/usr/local/bin/python3.13 parent=python command=python -u /app/sidecar.py terminal=0 container_id=ec56370f8d11 container_name=grafana-sc-datasources container_image_repository=quay.io/kiwigrid/k8s-sidecar container_image_tag=1.30.0 k8s_pod_name=kube-prom-grafana-85d59d85f9-gg6zz k8s_ns_name=monitoring","priority":"Notice","rule":"Contact K8S API Server From Container","time":"2026-03-03T05:56:44.079252771Z","output_fields":{"container.id":"ec56370f8d11","container.image.repository":"quay.io/kiwigrid/k8s-sidecar","container.image.tag":"1.30.0","container.name":"grafana-sc-datasources","evt.time":1772517404079252771,"evt.type":"connect","fd.l4proto":"tcp","fd.lport":50460,"fd.name":"10.42.202.216:50460-\u003e10.43.0.1:443","fd.rport":443,"fd.type":"ipv4","k8s.ns.name":"monitoring","k8s.pod.name":"kube-prom-grafana-85d59d85f9-gg6zz","proc.cmdline":"python -u /app/sidecar.py","proc.exepath":"/usr/local/bin/python3.13","proc.name":"python","proc.pname":"python","proc.tty":0,"user.loginuid":-1,"user.name":"\u003cNA\u003e","user.uid":472},"source":"syscall","tags":["","T1565","container","k8s","maturity_stable","mitre_discovery","network"],"hostname":"k8s-cp2-worker2"} [10] Subject: falco.notice.contact_k8s_api_server_from_container Received: 2026-03-03 05:56:49 {"uuid":"0e688e1a-57a1-4237-84c7-175d78619c2d","output":"05:56:49.684779242: Notice Unexpected connection to K8s API Server from container | connection=10.42.202.216:50462-\u003e10.43.0.1:443 lport=50462 rport=443 fd_type=ipv4 fd_proto=tcp evt_type=connect user=\u003cNA\u003e user_uid=472 user_loginuid=-1 process=python proc_exepath=/usr/local/bin/python3.13 parent=python command=python -u /app/sidecar.py terminal=0 container_id=58e2e912cc62 container_name=grafana-sc-dashboard container_image_repository=quay.io/kiwigrid/k8s-sidecar container_image_tag=1.30.0 k8s_pod_name=kube-prom-grafana-85d59d85f9-gg6zz k8s_ns_name=monitoring","priority":"Notice","rule":"Contact K8S API Server From Container","time":"2026-03-03T05:56:49.684779242Z","output_fields":{"container.id":"58e2e912cc62","container.image.repository":"quay.io/kiwigrid/k8s-sidecar","container.image.tag":"1.30.0","container.name":"grafana-sc-dashboard","evt.time":1772517409684779242,"evt.type":"connect","fd.l4proto":"tcp","fd.lport":50462,"fd.name":"10.42.202.216:50462-\u003e10.43.0.1:443","fd.rport":443,"fd.type":"ipv4","k8s.ns.name":"monitoring","k8s.pod.name":"kube-prom-grafana-85d59d85f9-gg6zz","proc.cmdline":"python -u /app/sidecar.py","proc.exepath":"/usr/local/bin/python3.13","proc.name":"python","proc.pname":"python","proc.tty":0,"user.loginuid":-1,"user.name":"\u003cNA\u003e","user.uid":472},"source":"syscall","tags":["","T1565","container","k8s","maturity_stable","mitre_discovery","network"],"hostname":"k8s-cp2-worker2"} ``` **Describe the solution you'd like** A clear and concise description of what you want to happen. **Describe alternatives you've considered** A clear and concise description of any alternative solutions or features you've considered. **Additional context** Add any other context or screenshots about the feature request here.