Cadence Configuration
Adjust Jibril Pattern Analysis Cadence as Needed

What is Cadence?
In Jibril, cadence refers to the evaluation intervals that determine how frequently the system analyzes behavioral patterns for potential security threats. These intervals control the timing of pattern detection checks, not the detection accuracy itself.
Core Concept
Think of cadences as the "heartbeat" of your security monitoring:
Each cadence type represents a different monitoring category
The interval value determines how often that category is evaluated
All behavioral data collected between intervals is analyzed during each evaluation
How Cadences Work
Continuous Collection vs. Periodic Evaluation
Data Collection: Jibril continuously monitors and caches behavioral data
Pattern Evaluation: Analysis occurs at cadence intervals
Detection Events: Generated when patterns match during evaluation
Timeline Example (9-second cadence):
0s -------- 9s -------- 18s -------- 27s -------- 36s
| | | | |
Collection Eval #1 Eval #2 Eval #3 Eval #4
(continuous)
Cadence Types
1. File Access Cadence (file_access
)
file_access
)Controls evaluation of file system behavioral patterns:
File creation, modification, deletion patterns
Suspicious file access sequences
Unauthorized access attempts
File permission changes
2. Network Peers Cadence (network_peers
)
network_peers
)Controls evaluation of network endpoint patterns:
Connection to suspicious domains
Communication with known threat actors
Unusual peer communication patterns
DNS resolution anomalies
3. Network Flows Cadence (network_flows
)
network_flows
)Controls evaluation of network flow patterns:
Abnormal traffic volumes
Unusual protocol usage
Data exfiltration patterns
Command and control communications
Configuration Syntax
cadences:
file_access: 9 # Interval in seconds
network_peers: 9 # Interval in seconds
network_flows: 9 # Interval in seconds
Performance Impact
CPU Usage Patterns
The relationship between cadence intervals and CPU usage:
Interval | CPU Impact | Evaluation Frequency
---------|------------|--------------------
1s | Very High | 60 evals/minute
5s | High | 12 evals/minute
9s | Moderate | ~7 evals/minute
30s | Low | 2 evals/minute
60s | Very Low | 1 eval/minute
Memory Considerations
Shorter cadences may require larger caches because:
Less time to process cached data before new data arrives
Risk of cache overflow if processing takes too long
Need to maintain more granular behavioral state
Choosing Cadence Values
Factors to Consider
Environment Activity Level
High-traffic systems: Consider longer intervals
Critical systems: Use shorter intervals for faster detection
Threat Model
Advanced persistent threats: Shorter intervals
General monitoring: Standard intervals sufficient
System Resources
Limited CPU: Increase intervals
Ample resources: Decrease for better responsiveness
Detection Requirements
Real-time needs: 1-5 second intervals
Near real-time: 5-15 second intervals
Delayed acceptable: 15-60 second intervals
Common Configurations
Default Configuration (Balanced)
cadences:
file_access: 9
network_peers: 9
network_flows: 9
High-Security Configuration
cadences:
file_access: 3
network_peers: 5
network_flows: 5
Resource-Conscious Configuration
cadences:
file_access: 30
network_peers: 30
network_flows: 15
Mixed Priority Configuration
cadences:
file_access: 5 # High priority on file monitoring
network_peers: 30 # Lower priority on peer analysis
network_flows: 15 # Medium priority on flow analysis
Important Notes
Cadence vs. Detection Accuracy
Cadences DO NOT affect:
What patterns are detected
The accuracy of pattern matching
The types of threats identified
Cadences DO affect:
How quickly threats are identified after occurring
CPU usage patterns
System responsiveness
Behavioral State Persistence
Behavioral data is not lost between evaluations
All activity is cached and available for analysis
Longer intervals mean more data to process per evaluation
Best Practices
Start Conservative: Begin with default 9-second intervals
Monitor System Impact: Use system metrics to guide adjustments
Test Incrementally: Change one cadence at a time
Consider Peak Hours: Account for system load variations
Document Changes: Track configuration changes and their effects
Troubleshooting
High CPU Usage
Increase cadence intervals
Check for excessive behavioral activity
Verify cache sizes are appropriate
Delayed Detection
Decrease cadence intervals
Ensure caches aren't overflowing
Check system resource availability
Missed Events
Usually NOT a cadence issue
Check cache configuration
Verify detection rules are enabled
Advanced Tuning
Dynamic Cadence Adjustment
While not built-in, you can implement time-based cadence changes:
# Peak hours configuration (via external scheduler)
cadences:
file_access: 5 # More frequent during business hours
# Off-hours configuration
cadences:
file_access: 30 # Less frequent overnight
Cadence Synchronization
Consider staggering cadences to distribute CPU load:
cadences:
file_access: 9 # Evaluates at 0, 9, 18, 27...
network_peers: 10 # Evaluates at 0, 10, 20, 30...
network_flows: 11 # Evaluates at 0, 11, 22, 33...
Summary
Cadences are the timing mechanism that controls when Jibril evaluates collected behavioral data for security threats. Proper cadence configuration balances detection responsiveness with system resource usage. Remember: faster isn't always better—choose intervals that match your security requirements and system capabilities.
Last updated