BlogHomepage

Viewing Events

Garnet, through its Jibril sensors, provides deep visibility into your systems by observing a wide range of activities. This raw telemetry is then analyzed to identify security Detections. Understanding the types of data collected and how detections are formed is key to interpreting Garnet's findings.

Raw Event Telemetry

Jibril sensors collect granular data about system behavior. While the Garnet Platform UI primarily surfaces actionable Detections, this rich telemetry is the foundation for those detections. Key categories of raw event data include:

  • Network Events: Detailed records of all inbound and outbound network connections.

    • Data Points: Source/destination IPs and ports, protocols (TCP, UDP, ICMP), and resolved domain names (from DNS lookups).

    • Security Relevance: Essential for identifying unauthorized connections, C2 communication, data exfiltration, connections to malicious IPs/domains, or anomalous network patterns.

  • File System Events: Comprehensive tracking of interactions with the file system.

    • Data Points: File reads, writes, creations, deletions, permission changes (e.g., chmod), ownership changes (e.g., chown), file open flags, and the specific processes and users performing these actions.

    • Security Relevance: Crucial for detecting malware persistence, unauthorized modification of critical system files or application code, attempts to access sensitive data, or tampering with logs.

  • Process Execution Events: Monitoring of all process lifecycle activities.

    • Data Points: Process creation (execve, fork), termination, command line arguments, user and group IDs, parent process IDs, and process ancestry (the chain of parent processes).

    • Security Relevance: Fundamental for tracing malware execution, identifying unauthorized software, detecting suspicious process chains (e.g., a web server spawning a shell), and understanding how an attack unfolds.

From Events to Detections

While raw events provide a complete picture, it's the Detections that highlight potential security concerns. A Detection is a specific event, or a pattern of correlated events, that Jibril's analysis engine flags as potentially malicious, anomalous, or policy-violating based on:

  • Threat Intelligence: Matching activity against known malicious indicators (e.g., C2 server IPs, malware file hashes, malicious domain names for data exfiltration, and domains and filesystem activity for crypto mining).

  • Security Rules & Policies: Violations of predefined security policies (e.g., unauthorized software execution, attempts to disable security tools).

Forensic Data in Detections

When a detection is surfaced (typically on the Issues Page), Garnet provides rich forensic context derived from the underlying event telemetry. This often includes:

  • Precise Timestamps: When the event occurred.

  • Affected Asset Details: Which host, container, Kubernetes pod, or CI job was involved.

  • Detailed User and Process Context: Who or what was responsible for the activity.

  • Specific Artifacts: The exact file paths, network addresses, process names, and command lines involved.

  • Process Ancestry: A critical piece of forensic data showing the lineage of the process that triggered the detection, helping to trace the activity back to its origin.

  • Correlated Events: Links to other related events that might provide a broader picture of an attack or sequence of activities.

This detailed event and detection data empowers security teams to effectively investigate incidents, understand the scope of potential threats, and make informed response decisions. The Issues Page in the Garnet Platform is where you will primarily interact with and analyze these Detections.

Last updated