Skip to main content
Transform raw security events into actionable intelligence with Garnet’s AI engine.
The AI Insights engine analyzes historical patterns, threat intelligence, and context to recommend optimal policy configurations and incident responses.

How It Works

AI-powered security in five stages:
1

Data Collection

Jibril sends events to Garnet Cloud
{
  "event_type": "network_connection",
  "process": "python3",
  "destination": "suspicious-domain.com",
  "context": {...}
}
2

AI Analysis

Machine learning models evaluate:
  • Historical behavior patterns
  • Threat intelligence feeds
  • Organizational context
  • Industry benchmarks
3

Generate Insights

AI produces actionable recommendations
{
  "policy_update": "DropDomain",
  "recommended_scope": "repo",
  "confidence": 0.94,
  "impact_score": 8.3,
  "reasoning": "This domain has been flagged in 3 recent incidents..."
}
4

Apply (Optional)

Auto-apply approved recommendations or review manually

AI-Powered Features

Suggests new policies based on detected patternsExample:
# AI-recommended policy after detecting similar incidents
policy "Block Newly Observed Domain" {
  type        = "network"
  match       = domain_equals("evil-cdn.com")
  action      = "block"
  scope       = "repo"
  severity    = "high"
  description = "AI-detected: Domain appeared in 3 incidents across 2 repos"
  tags        = ["ai-recommended", "threat-intelligence"]
}

Confidence Score

94%Based on historical accuracy

Impact Score

8.3/10Estimated security improvement
Automatically categorizes and prioritizes incidents
PriorityCriteriaAction
P0Known attack pattern + active exploitImmediate block + alert
P1Suspicious behavior + high confidenceBlock + notify on-call
P2Anomalous pattern + medium confidenceObserve + log
P3Low confidence or false positive likelyLog only
Reduces alert fatigue by 78% on average
Recommends optimal policy scopes based on blast radius analysis
{
  "current_scope": "global",
  "recommended_scope": "repo",
  "reasoning": "This behavior only observed in yourorg/backend. Global scope would cause false positives in yourorg/frontend (83% confidence)",
  "estimated_false_positives_avoided": 47
}
Links related incidents across repositories and clustersExample Output:
🔗 Related Incidents Detected

Incident #1247 (yourorg/api)
Incident #1249 (yourorg/worker)
Incident #1251 (yourorg/cron)

Pattern: All attempted connection to same C2 domain
Recommendation: Apply block at global scope
Confidence: 97%

API Response Example

Query the AI Insights API: 
curl -X POST https://api.garnet.ai/v1/insights/analyze \
  -H "Authorization: Bearer $GARNET_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "incident_ids": ["inc_abc123", "inc_def456"],
    "analyze_scope": true,
    "recommend_policies": true
  }'
Response: 
{
  "insights": [
    {
      "type": "policy_recommendation",
      "policy_update": "DropDomain",
      "recommended_scope": "repo",
      "confidence": 0.94,
      "impact_score": 8.3,
      "reasoning": "Domain 'pool.xmrig.com' detected in 3 incidents over 48 hours. All from 'yourorg/api' repository. Recommend repo-scoped block to prevent false positives in other repos.",
      "estimated_false_positives": 2,
      "estimated_true_positives": 12,
      "auto_apply_eligible": true
    },
    {
      "type": "scope_optimization",
      "current_scope": "workflow",
      "recommended_scope": "global",
      "reasoning": "This threat pattern observed across 4 repositories and 2 clusters. Elevating to global scope provides better protection.",
      "confidence": 0.89,
      "affected_repos": ["yourorg/api", "yourorg/worker", "yourorg/frontend", "yourorg/mobile"]
    },
    {
      "type": "correlation",
      "related_incidents": ["inc_abc123", "inc_def456", "inc_ghi789"],
      "pattern": "supply_chain_attack",
      "attack_vector": "compromised_npm_package",
      "recommended_action": "block_package_domain",
      "confidence": 0.96
    }
  ],
  "summary": {
    "total_recommendations": 3,
    "high_confidence_count": 2,
    "auto_apply_count": 1,
    "estimated_risk_reduction": "73%"
  }
}

Dashboard View

The Garnet Dashboard displays AI insights inline with incidents:
  • Incident View
  • Recommendations Feed
📊 Incident #1247
Status: Blocked
Policy: DropDomain
Destination: pool.xmrig.com

✨ AI Insight
This domain has been blocked 8 times in the last 7 days.
Recommendation: Add to global blocklist
Confidence: 96%

[Apply Recommendation] [Dismiss]

Auto-Apply Settings

Control how aggressively AI recommendations are applied:
  • Conservative
  • Balanced
  • Aggressive
  • Manual
{
  "auto_apply": true,
  "confidence_threshold": 0.95,
  "require_manual_review": ["scope_expansion", "policy_deletion"],
  "max_auto_applies_per_day": 3
}
Use when: Production environments, high-compliance requirements

CLI Usage

Interact with AI insights via garnetctl: 
# Get AI recommendations for a specific incident
garnetctl insights analyze --incident inc_abc123

# List all pending recommendations
garnetctl insights list --status pending

# Apply a recommendation
garnetctl insights apply rec_xyz789

# Configure auto-apply settings
garnetctl insights configure --confidence-threshold 0.90 --auto-apply true

Benefits

Faster Response

Reduce triage time by 78%Automated prioritization and correlation

Better Accuracy

94% confidence on high-priority alertsMachine learning reduces false positives

Adaptive Defense

Continuously improvingLearns from your environment and threat landscape

Privacy & Security

  • All analysis performed on Garnet Cloud (encrypted in transit and at rest)
  • No source code or secrets transmitted
  • Only metadata and event patterns analyzed
  • Compliant with SOC 2 Type II, ISO 27001, and GDPR
  • Models trained on anonymized, aggregated threat intelligence
  • Your data never shared with other customers
  • Opt-out available for ultra-sensitive environments
  • Full reasoning provided for every recommendation
  • Audit logs for all auto-applied changes
  • Rollback capability for any AI-applied policy

Next Steps

Configure Alerts

Receive AI recommendations via Slack

API Reference

Integrate AI insights into your workflow
I