Jibril (jibril.garnet.ai) is a free runtime monitoring and threat detection tool for Linux, designed for development, CI/CD, and production environments. It captures system activity - processes, files, network connections, users - with high precision and low overhead, processing hundreds of thousands of events per second. Installation takes under 5 minutes, and it integrates with GitHub Actions for CI/CD or Kubernetes for cluster monitoring.

Introduction

Jibril delivers real-time visibility into system behavior, detecting threats like unauthorized executions, file tampering, or network anomalies. Its modular design, driven by a centralized configuration file, balances flexibility and performance, scaling from single systems to enterprise deployments. It provides comprehensive telemetry with tamper-evident logs, ensuring reliable security insights.

Features

• Attenuator: Filters security events using AI LLM models in order to reduce noise. Analyzes events for context, like process ancestry or executable paths, and deduplicates repetitive alerts. Useful for prioritizing alerts in automated pipelines.
• Alchemies: Custom detection rules framework. Users can create "detection recipes" to define specific monitoring conditions, e.g., file access patterns or network activity. Includes built-in recipes and supports enabling/disabling rules on-demand for tailored security.
• Cache Configurations: Manages memory for event storage. Users set cache sizes via config files to handle large event volumes, preventing performance degradation in high-load environments.
• Cadence Configurations: Controls timing of operations, like event polling or cache updates. Adjusts frequency to balance responsiveness and resource usage, ensuring efficient monitoring in real-time.
• Network Policies: Enables blocking of network connections based on domains or IP CIDRs. Provides a complete view of remote peers per process, linking detections to corresponding peers with full DNS resolution paths. Groups all processes communicating with the same remote node and flags detections for each entry.
• High Event Load Handling: Processes hundreds of thousands of events per second with minimal performance impact, leveraging eBPF’s efficiency and a so called 3rd-generation EDR architecture.

More information

https://jibril.garnet.ai/jibril/installation/requirements

https://jibril.garnet.ai/jibril/installation/systemd-service

https://jibril.garnet.ai/jibril/installation/command-line

https://jibril.garnet.ai/jibril/installation/docker-container

https://jibril.garnet.ai/jibril/installation/kubernetes