Cadence Configuration
Adjust Jibril Pattern Analysis Cadence as Needed
Last updated
Adjust Jibril Pattern Analysis Cadence as Needed
Last updated
In Jibril, cadence refers to the evaluation intervals that determine how frequently the system analyzes behavioral patterns for potential security threats. These intervals control the timing of pattern detection checks, not the detection accuracy itself.
Think of cadences as the "heartbeat" of your security monitoring:
Each cadence type represents a different monitoring category
The interval value determines how often that category is evaluated
All behavioral data collected between intervals is analyzed during each evaluation
Data Collection: Jibril continuously monitors and caches behavioral data
Pattern Evaluation: Analysis occurs at cadence intervals
Detection Events: Generated when patterns match during evaluation
file_access)Controls evaluation of file system behavioral patterns:
File creation, modification, deletion patterns
Suspicious file access sequences
Unauthorized access attempts
File permission changes
network_peers)Controls evaluation of network endpoint patterns:
Connection to suspicious domains
Communication with known threat actors
Unusual peer communication patterns
DNS resolution anomalies
network_flows)Controls evaluation of network flow patterns:
Abnormal traffic volumes
Unusual protocol usage
Data exfiltration patterns
Command and control communications
The relationship between cadence intervals and CPU usage:
Shorter cadences may require larger caches because:
Less time to process cached data before new data arrives
Risk of cache overflow if processing takes too long
Need to maintain more granular behavioral state
Environment Activity Level
High-traffic systems: Consider longer intervals
Critical systems: Use shorter intervals for faster detection
Threat Model
Advanced persistent threats: Shorter intervals
General monitoring: Standard intervals sufficient
System Resources
Limited CPU: Increase intervals
Ample resources: Decrease for better responsiveness
Detection Requirements
Real-time needs: 1-5 second intervals
Near real-time: 5-15 second intervals
Delayed acceptable: 15-60 second intervals
Cadences DO NOT affect:
What patterns are detected
The accuracy of pattern matching
The types of threats identified
Cadences DO affect:
How quickly threats are identified after occurring
CPU usage patterns
System responsiveness
Behavioral data is not lost between evaluations
All activity is cached and available for analysis
Longer intervals mean more data to process per evaluation
Start Conservative: Begin with default 9-second intervals
Monitor System Impact: Use system metrics to guide adjustments
Test Incrementally: Change one cadence at a time
Consider Peak Hours: Account for system load variations
Document Changes: Track configuration changes and their effects
Increase cadence intervals
Check for excessive behavioral activity
Verify cache sizes are appropriate
Decrease cadence intervals
Ensure caches aren't overflowing
Check system resource availability
Usually NOT a cadence issue
Check cache configuration
Verify detection rules are enabled
While not built-in, you can implement time-based cadence changes:
Consider staggering cadences to distribute CPU load:
Cadences are the timing mechanism that controls when Jibril evaluates collected behavioral data for security threats. Proper cadence configuration balances detection responsiveness with system resource usage. Remember: faster isn't always better—choose intervals that match your security requirements and system capabilities.
