Events & Detections

• Events:

  • Raw system activities observed and collected by Jibril

  • Examples: Process creation, network connections, file operations

  • High volume of telemetry data

  • Most are benign normal activities

• Detections:

  • Specific events or patterns identified as potentially malicious or anomalous

  • Generated when Jibril's detection engine identifies suspicious behavior

  • Much lower volume than events

  • Require attention, investigation, or automated response

In essence, Jibril continuously monitors a high volume of events. Its engine then intelligently filters and analyzes these events to pinpoint specific detections that warrant attention and potentially an automated response (like blocking) or human investigation.

Understanding the distinction between events and detections is crucial when working with Garnet:

• Events:

  • Raw activities observed and collected by the Jibril sensor running in your monitored environments.

  • These are fine-grained records of system behavior.

  • Examples include: a network connection being opened, a file being accessed or modified, a new process being executed, or a user escalating privileges.

  • Events provide the foundational data for security analysis but are not, in themselves, indicators of malicious activity.

• Detections:

  • Specific events, or patterns of events, that are identified by Jibril's behavioral analysis engine as potentially malicious, anomalous, or policy-violating.

  • Detections are the output of Jibril's threat intelligence and rule-based system working on the stream of raw events.

  • These are what trigger alerts within the Garnet Platform.

  • Examples include: "Malicious Network Connection to C2 Server Detected", "Crypto Miner Execution Attempt Blocked", "Unauthorized Credential File Access", "Anomalous Process Execution Chain".

  • Detections are designed to be actionable and provide context for security incidents.