Persisters

Persisters store events in-process so other components can query historical events (for example to build aggregated outputs like profile).

Where persisters run

Persisters run inside the dispatcher pipeline:

• Detection events: transform → persist → (optional filter) → print
• Flow events: persist → print
• Profile events: print only (not persisted)

Default persister: in-memory LRU cache

Jibril ships with an in-memory LRU persister (lrucache) that:

• Stores a bounded number of recent events.
• Indexes events by metadata (kind/name/format/tactic/technique/subtechnique), score components (severity/confidence/risk_score), OS items, and network items.
• Provides typed accessors for common event kinds (file-access, execution, network flow/peer, dropip).

Lifecycle

Events are destroyed after printing. In-memory persisters clone events before persisting them.

Configuration

Enable the feature and the in-memory backend:

features:
  - persisters

feature_options:
  persisters:
    inmemory: true

Notes

• Persisters are disabled by default.
• The profile event generation relies on persisted events.