Skip to main content

First Detection Checklist

Use this checklist to validate your Garnet setup and understand what to do next.

✅ Setup Validation

1

Agent Connected

GitHub Actions: Latest workflow run shows Garnet action step completed successfullyKubernetes: kubectl logs -l app=jibril -n garnet shows Connected to Garnet Platform
2

Issue Detected

Go to dashboard.garnet.ai/issues and confirm you see at least one Issue.If no Issues yet, that’s normal—your baseline is clean. Generate a test detection (see below).
3

Issue Details Populated

Click an Issue and verify you see:
  • Process name and command line
  • DNS query or connect event
  • Timestamp and micro-context (workflow or node)

🧪 Generate Test Detection

If you haven’t seen an Issue yet, trigger one manually:
  • GitHub Actions
  • Kubernetes
Add a test step to any workflow:
- name: Test Unknown Egress
  run: |
    curl -I https://unknown-test-domain-$(date +%s).com || true
This creates a unique unknown domain each run.
These test URLs don’t actually connect anywhere—DNS resolution fails, but Garnet still logs the attempt as unknown egress.

📊 Understand Your Baseline

What is “Normal” for Your Context?

Garnet builds a baseline per micro-context:
  • GitHub Actions: Per workflow + job + step
  • Kubernetes: Per node (pod-level coming soon)
Example:
  • npm install in workflow “CI” → learns domains like registry.npmjs.org
  • Same workflow running later → malicious-npm-mirror.com = unknown egress

Check Your Events

Go to Events in the dashboard to see all telemetry:
  • DNS queries
  • Connect events
  • Process lineage
Filter by micro-context to see what’s baseline vs. unknown.

🚀 Next Steps

1

Establish Baseline (1-7 days)

Run your normal workloads for a few days in Detect-only mode.Review Issues and mark false positives as “Known Good” (coming soon).
2

Enable Enforce Mode

Once baseline is clean, enable blocking:Learn about Enforce mode →
3

Set Up Alerts

Configure Slack or webhook alerts for critical Issues:Dashboard → Settings → Notifications

🎯 Success Criteria

You’re ready for production when:

Clean Baseline

7 days of normal workload activity with zero false positive Issues

Test Detection Confirmed

Manually triggered unknown egress appears as Issue within 60 seconds

PR Comments Working

GitHub Actions: Unknown egress in CI triggers PR comment (if enabled)

Alerts Configured

Slack/webhook notifications tested and working

Events & Issues

Understand what Garnet detects

Baselining

How auto-baseline works

Policies

Write custom allow/block rules

🛠️ Common Issues

Cause: Baseline period too short, or dynamic DNS in use.Fix:
  • Extend baseline period to 7+ days
  • Add known-good domains to policy allowlist (see Policy Examples)
Cause: Domain may already be in baseline from previous run.Fix: Use a unique test domain each time (see test examples above).
Cause: Missing GITHUB_TOKEN or pull-requests: write permission.Fix: Add both to your workflow (see 10-Minute Setup).

✉️ Need Help?

Not seeing expected behavior?