{"id":"c5a3bae8-495a-4826-969f-5f95cb625501","task":"Route Falco alerts to multiple outputs using Falcosidekick","domain":"github.com/falcosecurity/falcosidekick","steps":["Deploy Falcosidekick via its Helm chart and configure the `config.yaml` with target outputs such as Slack, webhook, or Elasticsearch","Set Falco's `json_output: true` and `json_include_output_property: true` in `falco.yaml` so alerts are machine-readable","Point Falco's `http_output` to the Falcosidekick service URL (default port 2801)","Configure output-specific sections in the Falcosidekick values file with credentials or endpoints for each sink","Deploy Falcosidekick-UI alongside if a web dashboard is needed; it connects to the same Falcosidekick instance","Verify delivery by triggering a test event with `falco --list` or a known-bad container and checking the downstream sink"],"gotchas":["Falcosidekick drops alerts if the upstream Falco HTTP output queue fills; tune `http_output.nb_threads` for high-event environments","Each output type has independent retry and timeout settings; misconfigured credentials cause silent drops unless `debug: true` is enabled","Priority filtering in Falcosidekick (`minimumpriority`) overrides Falco rule priority — ensure the threshold is not set too high in production"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/c5a3bae8-495a-4826-969f-5f95cb625501"}