Understanding Alerts

Last updated 17 days ago

Understanding Alerts

Alerts are the primary way the Garnet Platform proactively notifies you of important security Detections identified by the Jibril sensors. Effectively understanding and managing these alerts is key to a swift and effective security response.

Here's what you need to know about alerts in the Garnet Platform:

Source of Alerts: Alerts are generated based on Detection Events. When Jibril identifies an activity or pattern that matches its threat intelligence or configured policies (e.g., detecting a crypto miner, a connection to a known C2 server, or unauthorized file access), it creates a detection event. If this detection meets the criteria set in your notification configurations, an alert is triggered.
Notification Channels: Alerts are delivered through the channels you configured (see ). This could be:
- Slack messages
- Comments on GitHub Pull Requests (for CI/CD pipeline detections)
- Webhook payloads to your SIEM, SOAR platform, or other custom tools
Alert Content: A typical alert from the Garnet Platform will include crucial information to help you quickly assess the situation:
- Detection Name: What was detected (e.g., "Potential Crypto Mining Activity).
- Severity: The assessed risk level (e.g., Critical, High, Medium, Low).
- Timestamp: When the detection occurred.
- Affected Asset/Environment: Which host, container, Kubernetes pod, project, or CI job is involved.
- Key Contextual Details: A summary of why the event was flagged, such as the specific process name, network IP address, or filename involved.
- Link to the Issues Page: A direct link back to the specific detection on the within the Garnet Platform dashboard for full details and deeper investigation.
Noise Reduction & Alert Fidelity:
- Garnet aims to provide high-fidelity alerts. The platform employs techniques to reduce alert fatigue, such as:
  - Aggregation: Grouping multiple similar, repetitive events from the same source into a single significant notification or updating an existing issue.
  - Correlation: Linking related events to provide a more comprehensive picture rather than isolated, noisy alerts.
  - Risk-Based Prioritization: Focusing alerts on higher-impact detections based on severity and confidence.
- This helps security teams focus on the most critical events rather than being overwhelmed by low-value notifications.
Alert Triage and Investigation Workflow: When an alert is received, a typical workflow involves:
1. Review Alert Notification: Quickly assess the severity, type of detection, and affected asset from the alert message itself.
2. Navigate to the Issues Page: Use the link provided in the alert to go directly to the relevant detection on the in the Garnet Platform.
3. Investigate the Issue: On the Issues Page, analyze the full context, including process chain, network details, file information, and any other forensic data provided (as detailed in and ).
4. Assess Impact & Validate: Determine if the activity is a true positive (malicious or policy-violating) or a false positive (benign activity misidentified).
5. Contain & Remediate: Take appropriate action. This might include isolating the host, terminating a process, blocking an IP (if not already done by Garnet's automated blocking, which can be confirmed by a "Blocked" status on the Issues page), patching a vulnerability, or updating security policies.
6. Tune Detections: If an alert is consistently firing for legitimate activity:
  - Adjust detection policies or rules within the Garnet Platform (if customizable for that detection).
  - Create an exception or suppression rule if the platform supports it.
  - Provide feedback to Garnet support if you believe a core detection rule needs refinement for your environment.
7. Document: Record the findings and actions taken.
Platform-Specific Alert Management Features:
- While the primary interaction with detections is on the , the overall alert configuration (channels, severity for notifications) is managed in the .

By understanding the nature of alerts and establishing a clear process for triage that leverages the Issues Page, you can maximize the effectiveness of the Garnet Platform in protecting your environments.

Last updated 17 days ago

Here's what you need to know about alerts in the Garnet Platform:

Source of Alerts: Alerts are generated based on Detection Events. When Jibril identifies an activity or pattern that matches its threat intelligence or configured policies (e.g., detecting a crypto miner, a connection to a known C2 server, or unauthorized file access), it creates a detection event. If this detection meets the criteria set in your notification configurations, an alert is triggered.
Notification Channels: Alerts are delivered through the channels you configured (see ). This could be:
- Slack messages
- Comments on GitHub Pull Requests (for CI/CD pipeline detections)
- Webhook payloads to your SIEM, SOAR platform, or other custom tools
Alert Content: A typical alert from the Garnet Platform will include crucial information to help you quickly assess the situation:
- Detection Name: What was detected (e.g., "Potential Crypto Mining Activity).
- Severity: The assessed risk level (e.g., Critical, High, Medium, Low).
- Timestamp: When the detection occurred.
- Affected Asset/Environment: Which host, container, Kubernetes pod, project, or CI job is involved.
- Key Contextual Details: A summary of why the event was flagged, such as the specific process name, network IP address, or filename involved.
- Link to the Issues Page: A direct link back to the specific detection on the within the Garnet Platform dashboard for full details and deeper investigation.
Noise Reduction & Alert Fidelity:
- Garnet aims to provide high-fidelity alerts. The platform employs techniques to reduce alert fatigue, such as:
  - Aggregation: Grouping multiple similar, repetitive events from the same source into a single significant notification or updating an existing issue.
  - Correlation: Linking related events to provide a more comprehensive picture rather than isolated, noisy alerts.
  - Risk-Based Prioritization: Focusing alerts on higher-impact detections based on severity and confidence.
- This helps security teams focus on the most critical events rather than being overwhelmed by low-value notifications.
Alert Triage and Investigation Workflow: When an alert is received, a typical workflow involves:
1. Review Alert Notification: Quickly assess the severity, type of detection, and affected asset from the alert message itself.
2. Navigate to the Issues Page: Use the link provided in the alert to go directly to the relevant detection on the in the Garnet Platform.
3. Investigate the Issue: On the Issues Page, analyze the full context, including process chain, network details, file information, and any other forensic data provided (as detailed in and ).
4. Assess Impact & Validate: Determine if the activity is a true positive (malicious or policy-violating) or a false positive (benign activity misidentified).
5. Contain & Remediate: Take appropriate action. This might include isolating the host, terminating a process, blocking an IP (if not already done by Garnet's automated blocking, which can be confirmed by a "Blocked" status on the Issues page), patching a vulnerability, or updating security policies.
6. Tune Detections: If an alert is consistently firing for legitimate activity:
  - Adjust detection policies or rules within the Garnet Platform (if customizable for that detection).
  - Create an exception or suppression rule if the platform supports it.
  - Provide feedback to Garnet support if you believe a core detection rule needs refinement for your environment.
7. Document: Record the findings and actions taken.
Platform-Specific Alert Management Features:
- While the primary interaction with detections is on the , the overall alert configuration (channels, severity for notifications) is managed in the .