Glossary
A
Agent
The Jibril agent running on a node or in a GitHub Actions workflow. Monitors network activity and sends events to Garnet Platform.Allow Policy
A policy that permits traffic to specified domains/IPs, even if not in the baseline. Overrides unknown egress detection.API Token
Authentication credential used by agents to connect to Garnet Platform. Generated in Dashboard → Settings → API Tokens.B
Baseline
The learned set of “normal” network behaviors for a specific micro-context. Built automatically over 7-14 days.Block Policy
A policy that blocks traffic to specified domains/IPs, even if in the baseline. Always takes precedence.C
Connect Event
An eBPF-captured outbound TCP or UDP connection attempt, including destination IP, port, and process info.D
Detect-Only Mode
Default operating mode where Garnet observes and reports unknown egress but does not block connections.DNS Event
An eBPF-captured DNS query showing the domain name resolved and resulting IP addresses.E
eBPF (Extended Berkeley Packet Filter)
Linux kernel technology that allows Garnet to monitor network activity without modifying kernel code or adding overhead.Egress
Outbound network traffic leaving a node or container. Garnet monitors egress only (not ingress).Enforce Mode
Operating mode where Garnet actively blocks unknown egress connections at the kernel level.Event
Raw telemetry captured by Jibril agents (DNS queries, connect attempts, process spawns, file access).F
False Positive
An Issue flagged for legitimate traffic that should have been in the baseline. Usually occurs during initial baseline learning.G
Garnet Platform
Cloud-based dashboard and API for managing agents, viewing Issues, and configuring policies.I
Ingress
Inbound network traffic arriving at a node or container. Not monitored by Garnet (use a WAF instead).Issue
A detected instance of unknown egress—an outbound connection not seen in the baseline for that micro-context.J
Jibril
The open-source eBPF agent that runs on nodes and monitors network activity. Named after the angel of revelation.K
Known Good
A manual marking applied to an Issue to indicate the traffic is legitimate and should be added to the baseline.M
Micro-Context
A specific scope in which Garnet learns behavior separately. Examples:- GitHub Actions:
workflow + job + step - Kubernetes:
node(pod/namespace coming soon)
Mode
Operating behavior of an agent. Either detect-only (observe) or enforce (block).N
Node Scope
Current Kubernetes monitoring level where all pods on a node share one baseline. Pod-level scope is on the roadmap.P
Policy
A user-defined rule specifying domains/IPs to always allow or block, overriding auto-baseline.Process Ancestry
The parent chain of a process (e.g.,bash → npm → node → curl) shown in Issue details.
R
Runner
A GitHub Actions worker VM where workflows execute. Garnet monitors Ubuntu runners via thegarnet-action.
S
Severity
Issue importance level: Critical, High, Medium, or Low. Based on threat intelligence and behavioral analysis.Syscall
Linux system call (likeconnect() or sendto()). Garnet uses eBPF to intercept network-related syscalls.
T
Telemetry
Raw data collected by agents: DNS queries, connections, processes, file access. Sent to Garnet Platform for analysis.U
Unknown Egress
An outbound connection to a domain/IP not previously seen in the baseline for that micro-context. Triggers an Issue.V
Verdict
The action taken on an Issue:- Detected: Logged but allowed (detect-only mode)
- Blocked: Prevented from completing (enforce mode)
Common Acronyms
| Acronym | Meaning |
|---|---|
| eBPF | Extended Berkeley Packet Filter |
| GHA | GitHub Actions |
| K8s | Kubernetes |
| CIDR | Classless Inter-Domain Routing (IP range notation) |
| DNS | Domain Name System |
| TCP | Transmission Control Protocol |
| UDP | User Datagram Protocol |
| HTTPS | HTTP Secure (TLS-encrypted HTTP) |
| API | Application Programming Interface |
| YAML | YAML Ain’t Markup Language (config file format) |