β±οΈ Cadence
Control how frequently Jibril evaluates behavioral patterns for security threats. Cadences are the "heartbeat" of your security monitoring - balancing detection responsiveness with system resource usage.
π Cadence configuration has a direct relationship with cache configuration: shorter check intervals allow for smaller caches (since data is processed more frequently), while longer intervals require larger caches to retain context between checks.
π― What is Cadence?β
Cadence = the interval (in seconds) between pattern evaluation cycles.
π Continuous Collectionβ
Jibril always collects behavioral data through eBPF as soon as it happens - nothing is missed.
β° Periodic Evaluationβ
Pattern analysis happens at cadence intervals - this is what you configure. Policies are applied synchronously, despite the cadence interval.
π How It Worksβ
Timeline Example (9-second cadence):
0s -------- 9s -------- 18s -------- 27s -------- 36s
| | | | |
Collect Eval #1 Eval #2 Eval #3 Eval #4
- Data collection: Data is collected via eBPF with no overhead. Nothing is missed.
- Pattern evaluation: Every 9 seconds in this example, but you can configure it to your needs.
- Detection events: Detection events are generated when patterns match during evaluation.
- Policies: Network Policies are applied synchronously, regardless of the cadence interval.
π Cadence Typesβ
Each detection mechanism has its own cadence configuration. You can configure the cadence for each mechanism separately. Below are the available cadence types and their descriptions.
π file-accessβ
File system pattern evaluation
- File creation/modification patterns
- Suspicious access sequences
- Unauthorized access attempts
- Permission changes
π network-peersβ
Network endpoint pattern evaluation
- Suspicious domain connections
- Threat actor communications
- Unusual peer patterns
- DNS resolution anomalies
π network-flowsβ
Network flow pattern evaluation
- Abnormal traffic volumes
- Unusual protocol usage
- Data exfiltration patterns
- C2 communications
π§ env-varsβ
Environment variable pattern evaluation
- Dynamic linker manipulation
- LD_PRELOAD/LD_LIBRARY_PATH mods
- Environment variable injections
- Process tampering
β οΈ Important
The built-in network peers detection recipes include a long list of domains to monitor. This means that on each evaluation, Jibril will check against millions of domains. Despite optimization efforts, this can still be a bottleneck for high-traffic systems, consider having higher cadence intervals for this mechanism if resources consumption becomes an issue.
βοΈ Configurationβ
cadences:
file-access: 3 # Seconds between file pattern evaluations
network-peers: 3 # Seconds between peer pattern evaluations
network-flows: 3 # Seconds between flow pattern evaluations
env-vars: 3 # Seconds between env var evaluations
Lower values = More frequent checks = Higher CPU usage Higher values = Less frequent checks = Lower CPU usage Default: 3 seconds (balanced performance)
π Performance Impactβ
| Interval | CPU Impact | Eval/Min | Use Case |
|---|---|---|---|
| 3s | High | 20 | Real-time environments |
| 6s | Moderate | 10 | High-security environments |
| 9s | Moderate | ~6 | Balanced for most use cases |
| 15s | Low | 4 | High-traffic environments |
| 30s | Low | 2 | Resource-constrained environments |
| 45s | Very Low | ~1 | Resource-constrained environments |
| 60s | Very Low | ~1 | Minimal overhead needed |
π‘ Performance Note
Jibril's detection engine is designed to be resource-efficient and performant. While much of its logic could be parallelized, it is intentionally serialized to ensure that no more than a single CPU core is utilized at any given time, even on high-traffic systems.
π¨ Configuration Profilesβ
π― Default (Balanced)β
cadences:
env-vars: 6
file-access: 6
network-peers: 6
network-flows: 9
Best for: Most production environments
- Balanced detection speed and resource usage
- The default configuration for most use cases
π‘ Resource-Consciousβ
cadences:
file-access: 15
network-peers: 15
network-flows: 15
env-vars: 15
Best for: Resource-constrained environments
- Minimal CPU impact ands still good detection speed
- ~4 evaluations per minute per cadence
- Most detection recipes should not need lower cadences
ποΈ Mixed Priorityβ
cadences:
env-vars: 15
file-access: 3
network-peers: 15
network-flows: 60
Best for: Specific threat models
- Prioritize important detection categories
- Balance resources across different patterns
- Customize based on your risk profile
π Important Conceptsβ
β Cadences DO Affectβ
- Detection speed - How quickly threats are identified
- CPU usage - Lower intervals = higher CPU
- System responsiveness - Resource competition
- Alert latency - Time between behavior and detection
- Reaction time - Time between detection and a programmed action
β Cadences DON'T Affectβ
- Policy application - Policies are applied sync, regardless of the cadence interval
- Detection accuracy - Pattern matching precision is not affected
- Data collection - eBPF always monitors continuously, nothing is missed
- Event loss - Event generation will still happen, but at a different rate
- Detection types - Same threats detected regardless of the cadence interval
π Best Practicesβ
β Recommendedβ
- π― Start with default 9-second intervals
- π Monitor system impact before adjusting
- π Enable detections and adjust cadences accordingly
- β° Account resources for peak 5 min variations
- π Document changes and rationale
- π§ͺ Test in staging first
β οΈ Avoidβ
- β Setting all intervals to 1 second
- β Changing multiple cadences simultaneously
- β Ignoring CPU usage warnings
- β Using different values without reason
- β Forgetting about peak load times
- β Not testing after changes
π‘ Advanced Techniquesβ
π Staggered Cadencesβ
Distribute CPU load by using different intervals:
cadences:
file-access: 6
network-peers: 9
network-flows: 15
env-vars: 30
Prevents all evaluations from running simultaneously.
β° Time-Based Adjustmentβ
Use external schedulers to change cadences based on time:
Business hours: Shorter intervals
Off-hours: Longer intervals
π Note: Requires external configuration management
π Memory Considerationsβ
β οΈ Important Relationship
Shorter cadences may require larger caches:
- Less time to process cached data before new data arrives
- Risk of cache overflow if processing takes too long
- Need to maintain more granular behavioral state
π Solution: Balance cadence intervals with cache sizes. See Cache Configuration.