Skip to main contentWhat events are recorded
Garnet records three types of runtime events:
Network events
Every outgoing connection with:
- Destination IP/domain
- Process that made the connection
- Full process ancestry (parent chain)
- Timestamp
Detects:
- Data exfiltration
- C2 callbacks
- Crypto miner connections
- Unauthorized API calls
File events
Every file operation with:
- File path
- Operation (read/write/execute)
- Process performing the operation
- Timestamp
Detects:
- Malware drops
- Config tampering
- Unauthorized file access
- Sensitive data reads
Process events
Every process started with:
- Command and arguments
- Parent process
- Environment variables
- User/group
Detects:
- Shell spawning
- Reverse shells
- Privilege escalation
- Container escapes
Policies
Policies control what actions to take on events:
- Observe (default): Log all events, no blocking
- Allow: Whitelist specific patterns, log others
- Block: Stop matching events, alert immediately
Default mode: observe all, block known threats (crypto miners, C2 domains)
Reading events in the dashboard
Events table
Filter by type, severity, time. Click any event to see details.
Event details
Click an event to see:
- Process tree (what spawned what)
- Command, args, environment
- Network/file/process specifics
Actions
- Mark event as allow (create allowlist)
- Mark as block (autoblock next time)
- Export for SIEM or audit
- “Interpreters Only” filter = just app code, not system noise
