Appearance
Alchemies
Built-in Detection Recipes
Jibril implements most of its detection recipes through alchemies. These are declarative YAML-based files that define patterns used to match attack patterns. Each alchemy leverages one or more detection mechanisms to match attack patterns.
How Alchemies Work
Alchemies are declarative YAML files that specify:
Detection Mechanisms
- file_access
- execution
- network_peers
- env_vars
Detection Breeds
- file_access (file_access, execution)
- remote_cidrs (network_peers)
- remote_domains (network_peers)
- env_vars (env_vars)
Severity levels
- Severity
- Description
- Documentation
- MITRE ATT&CK mappings
Built-in Alchemies
Jibril ships with comprehensive built-in alchemies covering the full attack lifecycle, but not all are available as public YAML recipes. Some remain private for competitive advantage.
Enable Alchemies
To use the alchemies feature, add it to your configuration file:
yaml
features:
- alchemies
feature_options:
alchemies:
builtin:
enabled: true
private:
enabled: false
paths:
- /etc/jibril/alchemies/private
public:
enabled: false
paths:
- /etc/jibril/alchemies/public
tests:
enabled: false
paths:
- /etc/jibril/alchemies/testsThe path must be a valid path to a directory and is not recursive.