Tigera

Overview

This document provides a detailed guide to integrating Tigera (Calico Enterprise / Calico Cloud) with Callgoose SQIBS for real-time security incident management, threat detection alerting, and automated incident resolution.

The integration leverages Tigera’s Webhook notification system to send security events, policy violations, and anomaly detections directly to Callgoose. Using Callgoose API Filters, these payloads are converted into actionable incidents that alert your on-call engineers instantly.

Prerequisites

Before beginning, ensure you have the following:

• A Callgoose SQIBS account with permissions to create API Filters and access integration endpoints.
• A Tigera / Calico Enterprise or Calico Cloud environment with admin-level access.
• A valid Callgoose API token and Api endpoint URL.
• A test Global Alert configured in Tigera to validate the webhook delivery.

1. Prepare Callgoose: Obtain Endpoint and Token

1.1 Retrieve Callgoose API Endpoint

Generate or locate your Callgoose process endpoint in your dashboard:

https://****.callgoose.com/v1/process?from=Tigera&token=xxxx

2. Configure Tigera Webhook

2.1 Choose the Webhook Scope

Tigera allows you to send notifications for various security events including:

• Global Network Policy Violations
• WAF (Web Application Firewall) Events
• Deep Packet Inspection (DPI) Alerts
• Threat Feed Matches (e.g., communication with known malicious IPs)

2.2 Configure Webhook Fields

1. In the Tigera/Calico Manager UI, navigate to Activity > Alerts > Configure.
2. Select Add Notification Channel and choose Webhook.
3. Set the following options:

• Channel Name: Callgoose-SQIBS
• Webhook URL: The Callgoose endpoint from Step 1.
• HTTP Method: POST
• Content Type: application/json

Save the channel and ensure it is associated with your active Alert Definitions.

3. Example Tigera Payloads

A typical Tigera security alert event body looks like this:

Firing State Example

JSON

{
  "status": "firing",
  "alert_name": "Suspicious Lateral Movement",
  "alert_id": "tigera-sec-001",
  "severity": "high",
  "description": "Unmatched flow detected from pod 'frontend' to 'db-internal'",
  "timestamp": "2026-04-17T12:00:00Z",
  "labels": {
    "namespace": "production",
    "cluster": "aws-us-east-1"
  }
}

Resolved State Example

JSON

{
  "status": "resolved",
  "alert_name": "Suspicious Lateral Movement",
  "alert_id": "tigera-sec-001",
  "resolved_at": "2026-04-17T12:10:00Z"
}

4. Create API Filters in Callgoose SQIBS

Callgoose API Filters convert Tigera's raw JSON data into structured incidents. You should set up two filters for a complete lifecycle.

4.1 Trigger Filter — Create Incident

Use these settings to create an incident when Tigera detects a threat:

• Payload JSON Key: status
• Key Value Contains: firing
• Map Incident With: alert_id (Crucial for linking alerts)
• Incident Title: alert_name
• Incident Description: description or full_payload

4.2 Resolve Filter — Auto-Resolve Incident

Use these settings to automatically close the incident once the threat is mitigated or the alert clears:

• Payload JSON Key: status
• Key Value Contains: resolved
• Incident Mapped With: alert_id

Refer to the API Filter Instructions and FAQ for more details.

5. Cluster Connection & Communication

For security events to reach Callgoose, the following communication path must be active:

• Managed Cluster to SaaS: Your Kubernetes clusters must be successfully registered as "Managed Clusters" in Calico Cloud. Ensure the tigera-operator and calico-node pods are healthy.
• Data Sync: Ensure your clusters have outbound access to *.calicocloud.io to sync flow logs and security events to the SaaS management plane.

6. Verify and Test the Integration

6.1 Test Initial Delivery

• Use the Test button within the Tigera Webhook configuration page.
• Confirm the payload appears in the Callgoose API Logs.

6.2 Final Verification

1. Trigger: Simulate a policy violation in your cluster (e.g., attempt to access a forbidden port).
2. Verify Incident: Ensure an incident is created in Callgoose and the correct on-call user is notified.
3. Resolve: Delete the violating pod or update the policy. Ensure Tigera sends a resolved status and Callgoose closes the incident.

7. Troubleshooting

If the integration is not behaving as expected, use the following guide to identify and resolve common configuration errors.

• Incoming Payload Not Received Verify Tigera’s outbound firewall rules allow egress traffic to the Callgoose API. Check the Webhook Logs in Tigera to ensure the endpoint URL and Token are accurately entered.
• Alerts Not Triggering Confirm that the specific Alert Definition in the Tigera Manager UI is explicitly linked to the Callgoose Webhook notification channel. An alert without a linked channel will log internally but won't send a webhook.
• Duplicate Incidents Ensure the alert_id field is correctly mapped in the Callgoose API Filter. If this mapping is missing or incorrect, Callgoose may treat every status update or repeat heartbeat as a brand-new unique event.
• Authentication/Token Errors Re-verify that the token=xxxx parameter in your Tigera Webhook URL matches the active API Token generated in your Callgoose SQIBS dashboard. A mismatch will result in a 401 Unauthorized or 403 Forbidden error.
• Incidents Not Auto-Resolving Ensure Send Resolved Alerts is toggled ON in Tigera's notification settings. Additionally, verify that your "Resolve Filter" in Callgoose is specifically looking for the status: resolved key-value pair in the incoming JSON.

8. Conclusion

Integrating Tigera with Callgoose SQIBS transforms silent security logs into immediate, actionable responses. By automating the transition from "threat detected" to "engineer notified," you significantly reduce your Mean Time to Respond (MTTR) and ensure that critical network security events never go unnoticed.

For further assistance, refer to:

• Tigera documentation
• Callgoose SQIBS API Token Documentation
• Callgoose SQIBS API Endpoint Documentation
• API Filter Instructions and FAQ
• How to Send API