Install Falco on your Kubernetes nodes or as a systemd service on Linux hosts; ensure the kernel module or eBPF probe matches your kernel version
Configure Falco outputs in falco.yaml by enabling the http_output section and setting the url field to your webhook endpoint URL; set enabled: true and include the insecure option only if using an internal endpoint with a self-signed certificate
Define the alert fields to include in the JSON payload using the output format string; include at minimum the rule name, priority, output message, time, hostname, and relevant syscall context fields
Deploy Falcosidekick as a sidecar or separate deployment to fan out Falco alerts to multiple destinations (Slack, PagerDuty, Elasticsearch, webhook) without modifying Falco configuration for each target
Test the pipeline by triggering a known Falco rule (e.g., writing to /etc in a container) and verifying the alert arrives at the webhook with the expected payload within seconds
Tune noisy default rules by adding entries to a falco_rules.local.yaml override file to adjust priority levels or add exception conditions; avoid editing the base rules file directly so upstream updates are easy to merge
Known gotchas
Falco's kernel module or eBPF probe must be rebuilt when the host kernel is updated; failure to do so causes Falco to stop capturing syscall events silently, leaving you with no runtime alerts
High-throughput workloads can generate enough Falco events to overwhelm a naive webhook consumer; rate-limit or buffer alerts using Falcosidekick's queue settings or a message queue in front of the webhook
Custom rules that use the container.id or k8s.pod.name fields require Falco to be connected to the container runtime socket; if the socket mount is missing, those fields will be empty in alert payloads
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp