View and triage security events in real-time.

Events Dashboard

Events dashboard showing security detections

Event Types

Network Threats

  • C2 communications
  • Data exfiltration
  • DNS tunneling
  • Port scanning

Process Threats

  • Crypto miners
  • Malware execution
  • Privilege escalation
  • Code injection

File Threats

  • Malicious downloads
  • Unauthorized access
  • File encryption
  • Data destruction

Container Threats

  • Container breakouts
  • Image vulnerabilities
  • Runtime modifications
  • Resource abuse

Filtering Events

By Severity

Immediate action required
  • Crypto mining detected
  • Active data exfiltration
  • Container breakout attempts
  • C2 communications

By Environment

Filter events by deployment environment:
  • GitHub Actions - CI/CD pipeline events
  • Kubernetes - Cluster and pod events
  • Docker - Container and host events
  • All Environments - Combined view

By Time Range

  • Last hour - Real-time monitoring
  • Last 24 hours - Daily review
  • Last 7 days - Weekly analysis
  • Custom range - Specific time periods

Event Details

Detailed event view with forensic information

Core Information

  • Timestamp - When the event occurred
  • Agent - Which Jibril agent detected it
  • Severity - Critical, High, Medium, Low
  • Status - New, Investigating, Resolved, False Positive

Process Details

  • Command - Full command line executed
  • PID - Process identifier
  • Parent - Parent process information
  • User - User context
  • Working Directory - Execution path

Network Details

  • Source IP - Origin of connection
  • Destination IP - Target of connection
  • Port - Network port used
  • Protocol - TCP, UDP, ICMP
  • Bytes Transferred - Data volume

File Details

  • Path - File system location
  • Operation - Read, write, delete, execute
  • Size - File size
  • Hash - SHA256 fingerprint
  • Permissions - File access rights

Taking Action

Mark as False Positive

If an event is legitimate:
  1. Click “Mark as False Positive”
  2. Add optional comment explaining why
  3. Event is hidden from future views
  4. Similar events auto-marked as safe

Create Allowlist Rule

To prevent similar false positives:
  1. Click “Create Allowlist Rule”
  2. Choose rule scope:
    • Global - All environments
    • Environment - Specific deployment
    • Agent - Single agent only
  3. Define pattern to match
  4. Save rule

Block Network Destination

For network threats:
  1. Click “Block Destination”
  2. Choose block scope:
    • Global - All agents
    • Cluster - Kubernetes cluster
    • Agent - Single agent
  3. Confirm block action
  4. Traffic is immediately blocked

Export Event Data

For compliance or investigation:
  1. Select events to export
  2. Choose format: JSON, CSV, PDF
  3. Include forensic details
  4. Download file

Event Analytics

View threat patterns over time:
  • Volume - Number of events per day
  • Types - Most common threat categories
  • Sources - Top attacking IPs/domains
  • Targets - Most targeted assets

Environment Comparison

Compare security posture across environments:
  • Event Frequency - Events per environment
  • Severity Distribution - Risk levels
  • Response Times - Time to resolution
  • False Positive Rates - Detection accuracy

Agent Performance

Monitor agent effectiveness:
  • Detection Rate - Events per agent
  • Coverage - Monitored vs total assets
  • Health Status - Agent connectivity
  • Resource Usage - CPU/memory impact

Automation

Webhooks

Send events to external systems: 
# Configure webhook endpoint
Dashboard Settings Notifications Webhooks
Example webhook payload: 
{
  "event_id": "evt_123456",
  "severity": "critical",
  "type": "crypto_mining",
  "agent": "github-runner-01",
  "timestamp": "2024-01-15T10:30:00Z",
  "process": {
    "command": "xmrig -o pool.minexmr.com:4444",
    "pid": 12345,
    "user": "runner"
  },
  "action_taken": "process_killed"
}

Slack Integration

Slack notification showing security alert Configure:
  1. Create Slack webhook
  2. Add webhook URL to Garnet dashboard
  3. Choose alert severity levels
  4. Test integration

SIEM Integration

Forward events to your SIEM:
  • Splunk - HTTP Event Collector
  • Elasticsearch - Direct indexing
  • Azure Sentinel - Log Analytics API
  • AWS Security Hub - FindingsGenerator API

Best Practices

Daily Review

  1. Check critical events - Review all critical severity events
  2. Triage high events - Investigate high severity within 1 hour
  3. Update allowlists - Add legitimate activities to reduce noise
  4. Monitor trends - Look for unusual patterns

Weekly Analysis

  1. Review false positives - Adjust detection rules
  2. Analyze attack patterns - Identify recurring threats
  3. Update security policies - Strengthen weak areas
  4. Performance review - Optimize agent coverage

Incident Response

  1. Immediate containment - Block threats automatically where possible
  2. Investigation - Use forensic details to understand scope
  3. Remediation - Remove malware, patch vulnerabilities
  4. Lessons learned - Update policies and procedures

Troubleshooting

This might be normal if no threats are present.To verify detection is working:
  1. Run test command:
curl http://malicious.test.garnet.ai
  1. Check agent status in Agents tab
  2. Verify agent connectivity
  3. Review detection sensitivity settings
High false positive rate affecting productivity.Solutions:
  1. Create allowlist rules for legitimate activities
  2. Adjust detection sensitivity in agent settings
  3. Use environment-specific rules
  4. Review and tune detection policies regularly
Some events show limited information.Causes and fixes:
  1. Agent version - Update to latest Jibril version
  2. Permissions - Ensure agent has sufficient privileges
  3. Network issues - Check connectivity to Garnet platform
  4. Rate limiting - Reduce event volume if overwhelming
Events appear minutes after they occur.Troubleshooting:
  1. Check network latency to Garnet platform
  2. Verify agent system clock synchronization
  3. Review agent resource usage (CPU/memory)
  4. Check for network filtering or proxies

Next Steps

Manage Agents

View and configure agents

Enable Blocking

Stop threats automatically

API Integration

Automate with API