Articles

Route Falco Alerts Anywhere with Falcosidekick (2026)

April 16, 2026 3 min read

Falcosidekick can send alerts to a wide variety of destinations, not just Slack.

Here’s how to configure Falcosidekick to send alerts to PagerDuty, for example.

First, we need to set up a PagerDuty service.

In PagerDuty, navigate to "Services" and then "Create New Service".

Give your service a name, like "Falco Alerts".

Under "Integration Type", select "Falco".

PagerDuty will then generate an "Integration Key". This is what Falcosidekick will use to communicate with PagerDuty. Copy this key, as we’ll need it shortly.

Now, let’s configure Falcosidekick. This is typically done via a config.yaml file.

You’ll need to specify the Output section for PagerDuty.

outputs:
  - name: pagerduty
    type: pagerduty
    pagerduty:
      url: "https://events.pagerduty.com/v2/enqueue"
      routing_key: "YOUR_PAGERDUTY_INTEGRATION_KEY"
      severity: "critical"
      client_name: "falcosidekick"
      client_url: "http://your-falco-instance.com"

Replace YOUR_PAGERDUTY_INTEGRATION_KEY with the actual integration key you copied from PagerDuty.

The severity field can be set to critical, warning, info, or debug, depending on how you want PagerDuty to categorize these alerts.

client_name and client_url are useful for identifying where the alert originated in PagerDuty.

You also need to tell Falcosidekick which rules should trigger alerts and where to send them. This is done in the Falco section.

falco:
  json: true
  grpc:
    enabled: true
    host: 127.0.0.1
    port: 8765
  rules:
    - rule: "AlwaysAllowPrivilegeAndHostMounts"

      output: "[host: {{.Hostname}}] container {{.PodName}} mounted host path {{.HostPath}} with privileged: true"

      priority: "critical"
      output_fields:

        - "host={{.Hostname}}"


        - "container_id={{.Container.ID}}"


        - "container_name={{.Container.Name}}"


        - "pod_name={{.PodName}}"


        - "namespace={{.PodNamespace}}"


        - "image={{.Repository}}"


        - "mount_host_path={{.HostPath}}"


        - "mount_type={{.MountType}}"


        - "privileged={{.Privileged}}"

      outputs:
        - "pagerduty" # This tells Falcosidekick to send this alert to the PagerDuty output

In this example, the AlwaysAllowPrivilegeAndHostMounts rule is configured to send its output to the PagerDuty service we defined.

The outputs field within a rule specifies which output configurations should receive the alert. If you had multiple outputs configured (e.g., Slack and PagerDuty), you could list them both here.

Falco itself needs to be configured to send its output to Falcosidekick. If Falcosidekick is running in the same Kubernetes cluster, you’ll likely configure Falco’s grpc output.

# In Falco's falco.yaml
grpc:
  enabled: true
  host: 127.0.0.1
  port: 8765

This tells Falco to stream its events over gRPC to the specified host and port, which is where Falcosidekick is listening.

Once configured, when Falco detects an event matching the AlwaysAllowPrivilegeAndHostMounts rule, it will send the event to Falcosidekick. Falcosidekick will then format this event and send it to PagerDuty using the provided integration key, creating an incident.

You can also customize the PagerDuty payload further. For instance, you might want to dynamically set the severity based on the Falco rule’s priority.

outputs:
  - name: pagerduty
    type: pagerduty
    pagerduty:
      url: "https://events.pagerduty.com/v2/enqueue"
      routing_key: "YOUR_PAGERDUTY_INTEGRATION_KEY"
      client_name: "falcosidekick"
      client_url: "http://your-falco-instance.com"
      # You can map Falco priorities to PagerDuty severities
      priority_to_severity:
        critical: "critical"
        warning: "warning"
        info: "info"
        debug: "debug"

This mapping allows Falco’s defined priorities (like critical, warning) to directly translate into PagerDuty’s severity levels, ensuring that high-priority Falco alerts trigger high-severity PagerDuty incidents.

The client_url can be a URL to your Falco dashboard or a specific event view, providing responders with immediate context.

If you want to send alerts to multiple destinations, simply add more entries to the outputs section of your config.yaml.

For example, to send to both PagerDuty and a webhook:

outputs:
  - name: pagerduty
    type: pagerduty
    pagerduty:
      url: "https://events.pagerduty.com/v2/enqueue"
      routing_key: "YOUR_PAGERDUTY_INTEGRATION_KEY"
      severity: "critical"
      client_name: "falcosidekick"
      client_url: "http://your-falco-instance.com"
  - name: webhook
    type: webhook
    webhook:
      url: "http://your-webhook-receiver.com/alerts"
      method: "POST"
      payload: |
        {
          "alert": {

            "rule": "{{.Rule}}",


            "priority": "{{.Priority}}",


            "output": "{{.Output}}",


            "hostname": "{{.Hostname}}",


            "container": "{{.Container.Name}}",


            "image": "{{.Repository}}"

          }
        }

Then, in your Falco rules, you’d specify which outputs to use:

rules:
  - rule: "AlwaysAllowPrivilegeAndHostMounts"

    output: "[host: {{.Hostname}}] container {{.PodName}} mounted host path {{.HostPath}} with privileged: true"

    priority: "critical"
    outputs:
      - "pagerduty"
      - "webhook"

This setup demonstrates Falcosidekick’s flexibility in routing security events to various operational and incident management systems.

The next step is integrating with your SIEM for long-term storage and analysis.

Want structured learning?

Take the full Falco course →