The Issues Page

The Security Issues page (referred to as the "Issues page") is the primary focal point within the Garnet Platform for viewing, investigating, and managing security detections from all your deployed Jibril sensors. It provides a unified and actionable overview of potential threats and policy violations across your monitored environments.

To access it, simply click on "Issues" in the main navigation menu of the Garnet Platform dashboard (see for navigation context).

Below is an example of the Security Issues page, showing a "Crypto Miner files access" issue that has been automatically Blocked:

Key Features and Functionality

The page is titled "Security Issues" with the subtitle "View and manage security issues detected in your workloads."

• Controls Bar:

  • Search Issues: A search bar with the placeholder "Search issues..." allows you to quickly find specific issues by name or keywords.

  • Quick Filters: Buttons like a "Critical" filter allow for one-click filtering of high-priority issues.

  • Filters Button: A general "Filters" button opens more detailed filtering options (see below).

  • Refresh Button: Manually refresh the list of issues.

  • Live Indicator: Shows if the view is live-updating and the "Last updated" timestamp.

• Active Issues List: This section displays issues that require review and action.

  • Columns: Issues are displayed in a table with sortable columns:

    • Priority: The severity of the issue (e.g., Critical).

    • Issue: The name or type of detection (e.g., "Crypto Miner files access") and a brief description. It may also indicate if multiple events are grouped under one issue (e.g., "+1 more", "# X events").

    • Status: The current status, importantly showing if an action was Blocked or allowed.

    • Source: The identifier of the Jibril agent or host where the issue was detected (e.g., "Pkrvmberfyhpb9w").

    • Last Updated: Timestamp of the most recent activity or update for the issue.

  • Expandable Issues: Issues that group multiple events can often be expanded (using a dropdown arrow) to show individual event instances with their specific timestamps and unique identifiers. Each individual event may have a "View details" link for deeper forensic information.

  • Manage all events: A link associated with an issue group to potentially view all related underlying events.

• Filtering Capabilities (accessed via "Filters" button and quick filters):

  • Priority/Severity: Filter by the assessed severity (e.g., Critical, High, Medium, Low).

  • Status: Filter by the operational status, especially useful for distinguishing between Blocked threats and those that were only detected/allowed.

• Pagination: Controls at the bottom allow you to navigate through pages of issues and select the number of "Items per page."

• Detailed Issue Information (when clicking "View details" on an event):

  • Source of the Issue (Process Chain): Understand the context of how the detected activity originated, often including the process ancestry.

  • Issue-Specific Details: Information directly related to the type of detection, such as network information, file information, process details, and other Jibril event data providing rich forensic value.

Workflow

Typically, you would:

2. Use the search bar, "Critical" button, or "Filters" button to identify high-priority or new issues.

3. Review the summarized issues, noting their Priority, Status (especially Blocked), and Source.

4. Expand grouped issues or click "View details" on individual events to analyze the process chain and event-specific information.

5. Determine if it's a true positive, false positive, or requires further tuning.

6. Take appropriate remediation or follow-up actions based on your findings.

By leveraging the capabilities of the Security Issues page, you can effectively manage your security posture, respond to threats, and gain deeper insights into the activities occurring within your secured environments.