Complete reference for all detection types in Garnet.

Overview

Garnet uses eBPF (Extended Berkeley Packet Filter) to monitor system-level activities in real-time. This allows detection of threats at the kernel level without requiring any application changes.

Detection Categories

Network-Based Detections

What it detects: Connections to known cryptocurrency mining poolsHow it works: Monitors outbound network connections and compares them against a database of mining pool IPs and domains.Severity: HighCommon causes:
  • Compromised dependencies
  • Malicious container images
  • Supply chain attacks
Example:
{
  "type": "crypto_mining",
  "destination": "pool.supportxmr.com:3333",
  "process": "/usr/bin/node",
  "severity": "high"
}
What it detects: Unusual data transfers to external IPsHow it works: Monitors volume and patterns of outbound network traffic to identify suspicious data transfers.Severity: CriticalCommon causes:
  • Credential theft
  • Database dumps
  • Secret exposure
Example:
{
  "type": "data_exfiltration",
  "destination": "185.220.101.42:443",
  "bytes_sent": 52428800,
  "severity": "critical"
}
What it detects: Command & Control server communicationsHow it works: Identifies connections to known malicious IPs and suspicious communication patterns.Severity: CriticalCommon causes:
  • Backdoors
  • Remote access trojans
  • Post-exploitation frameworks
Example:
{
  "type": "c2_callback",
  "destination": "malicious.example.com:4444",
  "protocol": "tcp",
  "severity": "critical"
}
What it detects: Malicious code in dependencies during build/runtimeHow it works: Monitors network activity from build processes and dependency installations.Severity: HighCommon causes:
  • Typosquatting
  • Compromised packages
  • Malicious maintainers
Example:
{
  "type": "supply_chain",
  "package": "malicious-package@1.0.0",
  "behavior": "unexpected_network_activity",
  "severity": "high"
}

Process-Based Detections

What it detects: Unusual process spawning patternsHow it works: Monitors process creation and execution chains to identify anomalous behavior.Severity: Medium to HighCommon causes:
  • Shell injection
  • Privilege escalation attempts
  • Lateral movement
What it detects: Attempts to gain elevated privilegesHow it works: Monitors syscalls and process activities related to privilege changes.Severity: CriticalCommon causes:
  • Kernel exploits
  • SUID/SGID abuse
  • Container escape attempts

File-Based Detections

What it detects: Unauthorized access to sensitive filesHow it works: Monitors file system operations on critical paths like /etc/shadow, credentials, keys, etc.Severity: HighCommon causes:
  • Credential harvesting
  • Configuration tampering
  • Secret exposure
What it detects: Suspicious file creation, modification, or deletionHow it works: Tracks file operations that match known malware patterns.Severity: Medium to HighCommon causes:
  • Ransomware
  • Webshells
  • Persistence mechanisms

Detection Metadata

Each detection includes:
FieldDescription
timestampWhen the event occurred (UTC)
agent_idWhich agent detected the event
severitylow, medium, high, or critical
typeDetection category
processProcess information (PID, name, path, args)
networkNetwork details (IP, port, protocol, domain)
fileFile information (path, operation, permissions)
containerContainer context (ID, image, namespace)

Detection States

StateDescription
detectedEvent identified but no action taken
blockedEvent prevented from executing
allowedEvent whitelisted by user
investigatingUnder manual review

False Positives

Common Scenarios

  1. Legitimate mining: GPU computing, SETI@home, Folding@home
    • Solution: Add to allowlist via dashboard or network policy
  2. Backup operations: Large data transfers to cloud storage
    • Solution: Whitelist known backup destinations
  3. Development tools: Package managers, build tools
    • Solution: Use scope-based policies (allow in dev, block in prod)

Reducing False Positives

1

Review Detection Context

Check process ancestry, timestamps, and container context
2

Create Network Policies

Use specific scopes (workflow, repo, cluster) instead of global allowlists
3

Monitor Trends

Look for patterns in similar detections before blocking
4

Use Staging Environments

Test changes in non-production first

Custom Detection Rules

Custom detection rules are available on Enterprise plans. Contact us for more information.

Next Steps

View Detections

See detections in your dashboard

Enable Blocking

Automatically block threats