Additional configuration for Falco default rules on Alertmanager

[HuyDo-95g]

Motivation

Falco default rules are good but can't be modified individually.

Feature

I think it would make sense to allow user to modify an individual Falco default rule that are send to Alertmanager to match with user's usage or business without have to replace the whole list of default rule to user's customized rules.
For example:

• change "priority: Critical" to "severity: Critical"
• Add additional description for different rule.

Alternatives

At the moment user only could add an extra label or extra annotation to the whole list of default rule but not an individual one.

Additional context

[Issif]

Hi,

For the mapping between severity and priority, there's already the PR #440 for that.
For your second point, I don't understand your usage. If you want different format for the alerts, you have to change the output field in falco's rules.

[HuyDo-95g]

Hi @Issif,
Thanks for your quick response.
Does any falcosecurity chart support to change the falco's rules output? And is it possible to change the output of individual rule?

[Issif]

You can override the default rules like you want yes: https://falco.org/docs/rules/appending/#rewriting-rules

An example for the values:

customRules:
  override-k8saudit.yaml: |-
    - list: allowed_k8s_users
      append: true
      items: [eks:cloud-controller-manager, eks:vpc-resource-controller, eks:az-poller]
    - macro: live_endpoint
      append: true
      condition: or ka.uri="/readyz?exclude=kms-provider-0" or ka.uri="/livez?exclude=kms-provider-0"

This appends items to existing macro and list, but without the append: true, you can replace the whole content.

[Issif]

The release 2.29.0 fixed this issue.