Skip to main content
Version: 2.8

๐Ÿ“– Overview

โšก Automated Response System

The Reactions feature is Jibril's powerful automation system that enables immediate, programmable responses to security detection events. When a security event is detected, reactions can automatically execute custom code to respond, remediate, or gather additional intelligence.

Reactions transform Jibril from a passive monitoring tool into an active security defense system. Instead of merely alerting on suspicious activities, reactions can take immediate action:

๐Ÿšซ Block malicious network traffic in real-time

๐Ÿ”ช Terminate suspicious processes before they cause harm

๐Ÿ” Collect forensic evidence automatically

๐Ÿ๏ธ Isolate compromised systems from the network

๐Ÿšจ Trigger emergency procedures during critical incidents

โš™๏ธ How Reactions Workโ€‹

When Jibril detects a security event through its monitoring mechanisms (file access, process execution, network activity, etc.), the following workflow occurs:

  1. ๐Ÿ” A Security Threat is Detected
    An event from the OS matches a configured detection recipe
  2. ๐Ÿ“Š Event Detection
    Security event is reported in all configured and enabled printers
  3. โšก Reaction Trigger
    All reactions associated with that recipe are triggered in parallel
  4. ๐Ÿ“ฅ Context Injection
    The complete event context (process ancestry, network flows, file details, etc.) is made available to the reaction
  5. โ–ถ๏ธ Code Execution
    The reaction code executes in an isolated environment with access to powerful helper functions
  6. ๐ŸŽฏ Response Actions
    The reaction can take various actions like blocking IPs, killing processes, or logging additional information

๐Ÿ”ง Supported Formatsโ€‹

  • Runtime: Google V8 JavaScript engine with isolated contexts
  • Performance: Fast compilation and execution
  • Features: Rich set of built-in helper functions
  • Isolation: Each reaction runs in its own secure context
  • Data Access: Full access to event data through JSON objects

Shell Scriptsโ€‹

  • Runtime: Standard /bin/sh shell execution
  • Flexibility: Full system access with shell commands
  • Environment: Event data provided as JSON via REACTION_DATA environment variable
  • Security: Executed in temporary directories with restricted permissions

๐ŸŽฏ Key Capabilitiesโ€‹

๐Ÿ“ Logging & Monitoringโ€‹

Info("Detected suspicious file access");
Warn("High risk network connection identified");
Error("Critical security violation detected");

๐ŸŒ Network Policy Enforcementโ€‹

// Block malicious IPs automatically
NetBlockIp("192.168.1.100");

// Block domains associated with threats
NetBlockDomain("malicious-site.com");

// Block all remote IPs from the current event
NetBlockIp(); // Uses event context

๐Ÿ”ช Process Managementโ€‹

// Terminate the offending process
KillCurrent();

// Stop the parent process if compromised
KillParent();

// Kill specific process by PID
KillProcess(1234);

๐Ÿ“ File System Operationsโ€‹

// Read configuration files
let config = ReadFile("/etc/app/config.json");

// Write forensic evidence
WriteFile("/var/log/security/incident.log", evidenceData);

// Get file metadata
let fileInfo = Stat("/suspicious/file");

๐Ÿ’พ Persistent Data Storageโ€‹

// Store incident data across reactions
DataSet("incident_count", "5");
DataPush("blocked_ips", "192.168.1.100");

// Retrieve historical data
let count = DataGet("incident_count");
let blockedIps = DataKeys(); // Get all stored keys

๐Ÿšจ Emergency Actionsโ€‹

// System shutdown in critical situations
PowerOff();

// Trigger kernel panic for immediate halt
Panic();

๐Ÿ“Š Event Contextโ€‹

Every reaction receives comprehensive context about the security event that triggered it.

Global Variablesโ€‹

  • kind - The type of detection event (e.g., "file_access", "execution")
  • name - The name of the detection recipe that triggered
  • uuid - Unique identifier for this specific event
  • data - Complete JSON object containing all event details

Event Data Structureโ€‹

{
  "uuid": "event-unique-identifier",
  "timestamp": "2025-07-23T10:30:00Z",
  "metadata": {
    "kind": "file_access",
    "name": "suspicious_file_access",
    "importance": "high",
    "tactic": "name_of_tactic",
    "technique": "name_of_technique"
    "subtechnique": "name_of_sub_technique"
  },
  "base": {
    "background": {
      "ancestry": [...], // Process chain
      "flows": {...}     // Network connections
    }
  },
  "file": {
    "file": "/etc/passwd",
    "actions": ["read", "write"],
    "basename": "passwd"
  }
}

๐Ÿ”— Integration with Detection Recipesโ€‹

Reactions are defined within detection recipes using YAML configuration (Alchemies):

- kind: malicious_file_access
  name: detect_passwd_tampering
  # ... detection criteria ...
  reactions:
    - format: js
      code: |
        function process(data) {
          Info("Password file accessed by: " + data.process.cmd);

          // Block the process
          let result = KillCurrent();
          if (result === 0) {
            Info("Malicious process terminated");
          }

          // Log to incident database
          DataSet("last_passwd_access", new Date().toISOString());
        }