Cadence Configuration

Adjust Jibril Pattern Analysis Cadence as Needed

What is Cadence?

In Jibril, cadence refers to the evaluation intervals that determine how frequently the system analyzes behavioral patterns for potential security threats. These intervals control the timing of pattern detection checks, not the detection accuracy itself.

Core Concept

Think of cadences as the "heartbeat" of your security monitoring:

Each cadence type represents a different monitoring category
The interval value determines how often that category is evaluated
All behavioral data collected between intervals is analyzed during each evaluation

How Cadences Work

Continuous Collection vs. Periodic Evaluation

Data Collection: Jibril continuously monitors and caches behavioral data
Pattern Evaluation: Analysis occurs at cadence intervals
Detection Events: Generated when patterns match during evaluation

Timeline Example (9-second cadence):
0s -------- 9s -------- 18s -------- 27s -------- 36s
|           |           |            |            |
Collection  Eval #1     Eval #2      Eval #3      Eval #4
(continuous)

Cadence Types

1. File Access Cadence (`file_access`)

Controls evaluation of file system behavioral patterns:

File creation, modification, deletion patterns
Suspicious file access sequences
Unauthorized access attempts
File permission changes

2. Network Peers Cadence (`network_peers`)

Controls evaluation of network endpoint patterns:

Connection to suspicious domains
Communication with known threat actors
Unusual peer communication patterns
DNS resolution anomalies

3. Network Flows Cadence (`network_flows`)

Controls evaluation of network flow patterns:

Abnormal traffic volumes
Unusual protocol usage
Data exfiltration patterns
Command and control communications

Configuration Syntax

cadences:
  file_access: 9      # Interval in seconds
  network_peers: 9    # Interval in seconds
  network_flows: 9    # Interval in seconds

Performance Impact

CPU Usage Patterns

The relationship between cadence intervals and CPU usage:

Interval | CPU Impact | Evaluation Frequency
---------|------------|--------------------
1s       | Very High  | 60 evals/minute
5s       | High       | 12 evals/minute
9s       | Moderate   | ~7 evals/minute
30s      | Low        | 2 evals/minute
60s      | Very Low   | 1 eval/minute

Memory Considerations

Shorter cadences may require larger caches because:

Less time to process cached data before new data arrives
Risk of cache overflow if processing takes too long
Need to maintain more granular behavioral state

Choosing Cadence Values

Factors to Consider

Environment Activity Level
- High-traffic systems: Consider longer intervals
- Critical systems: Use shorter intervals for faster detection
Threat Model
- Advanced persistent threats: Shorter intervals
- General monitoring: Standard intervals sufficient
System Resources
- Limited CPU: Increase intervals
- Ample resources: Decrease for better responsiveness
Detection Requirements
- Real-time needs: 1-5 second intervals
- Near real-time: 5-15 second intervals
- Delayed acceptable: 15-60 second intervals

Common Configurations

Default Configuration (Balanced)

cadences:
  file_access: 9
  network_peers: 9
  network_flows: 9

High-Security Configuration

cadences:
  file_access: 3
  network_peers: 5
  network_flows: 5

Resource-Conscious Configuration

cadences:
  file_access: 30
  network_peers: 30
  network_flows: 15

Mixed Priority Configuration

cadences:
  file_access: 5      # High priority on file monitoring
  network_peers: 30   # Lower priority on peer analysis
  network_flows: 15   # Medium priority on flow analysis

Important Notes

Cadence vs. Detection Accuracy

Cadences DO NOT affect:

What patterns are detected
The accuracy of pattern matching
The types of threats identified

Cadences DO affect:

How quickly threats are identified after occurring
CPU usage patterns
System responsiveness

Behavioral State Persistence

Behavioral data is not lost between evaluations
All activity is cached and available for analysis
Longer intervals mean more data to process per evaluation

Best Practices

Start Conservative: Begin with default 9-second intervals
Monitor System Impact: Use system metrics to guide adjustments
Test Incrementally: Change one cadence at a time
Consider Peak Hours: Account for system load variations
Document Changes: Track configuration changes and their effects

Troubleshooting

High CPU Usage

Increase cadence intervals
Check for excessive behavioral activity
Verify cache sizes are appropriate

Delayed Detection

Decrease cadence intervals
Ensure caches aren't overflowing
Check system resource availability

Missed Events

Usually NOT a cadence issue
Check cache configuration
Verify detection rules are enabled

Advanced Tuning

Dynamic Cadence Adjustment

While not built-in, you can implement time-based cadence changes:

# Peak hours configuration (via external scheduler)
cadences:
  file_access: 5      # More frequent during business hours

# Off-hours configuration
cadences:
  file_access: 30     # Less frequent overnight

Cadence Synchronization

Consider staggering cadences to distribute CPU load:

cadences:
  file_access: 9      # Evaluates at 0, 9, 18, 27...
  network_peers: 10   # Evaluates at 0, 10, 20, 30...
  network_flows: 11   # Evaluates at 0, 11, 22, 33...

Summary

Cadences are the timing mechanism that controls when Jibril evaluates collected behavioral data for security threats. Proper cadence configuration balances detection responsiveness with system resource usage. Remember: faster isn't always better—choose intervals that match your security requirements and system capabilities.

Last updated 1 month ago