๐ค Attenuator
๐ง AI-Powered Analysis
Leverage cutting-edge AI-powered analysis to intelligently examine security events, enriching detections with contextual insights, accurate severity classifications, and sophisticated false positive filtering using advanced language models like GPT-4o.
๐ Overviewโ
The Attenuator acts as an intelligent filter that analyzes security events detected by Jibril and provides additional context, severity classifications, and even determines if an event is likely a false positive. This feature leverages AI models (like GPT-4o) to bring expert-level security analysis to each detection.
Think of the Attenuator as a security analyst who can analyze an event and immediately provide a detailed explanation of whether it is a false positive or not. This analysis is not based solely on the event's details, but also takes into account the broader context and the environment in which the event occurred.
๐ฏ Operational Modesโ
โจ Amendโ
Enriches events with AI-generated verdicts and confidence scores without blocking (default mode).
๐ญ Reasonโ
Provides detailed analytical reasoning and threat context along with verdicts.
Reasoning models will add a field explaining what was the LLM model thinking process during the analysis.
๐ซ Blockโ
Intelligently filters false positives to reduce alert fatigue.
In block mode, the Attenuator won't return any event if it's a false positive.
๐ก Recommendation: For initial deployment, use amend or reason mode to assess the AI's performance before selecting the most appropriate model and configuration for your environment. Enabling block mode should be approached with caution, as suppressing security events can be risky. Whenever possible, prefer labeling and filtering events rather than dropping them altogether.
โ๏ธ Configurationโ
Configure the Attenuator through Jibril's configuration file or environment variables.
๐ Configuration Optionsโ
| Description | Config Option | Env Variable | Default Value |
|---|---|---|---|
| Feature Flag | enabled | - | false |
| API token | token | AI_TOKEN | - |
| AI Model Name | model | AI_MODEL | gpt-4o |
| Model Temperature | temperature | AI_TEMPERATURE | 0.3 |
| Operational Mode | mode | AI_MODE | amend |
| AI Service URL | url | AI_URL | OpenAI API URL |
๐ก Example Configurationโ
To enable and configure the Attenuator in your Jibril setup, add the following to your configuration:
features:
- attenuator # use attenuator to detect suspicious behavior.
feature_options:
# the feature must be enabled for the option to be used.
attenuator:
enabled: true
url: https://api.openai.com/v1/chat/completions
port: 443
model: gpt-5
temp: 1
mode: reason
๐ก Alternative: You can also set environment variables:
export AI_TOKEN=your-ai-token
export AI_MODEL=gpt-4o
export AI_TEMPERATURE=0.3
export AI_MODE=reason
๐ Local and Private Modelsโ
The Attenuator can be used with local inference engines like Ollama to run private models on your own infrastructure. This approach offers several advantages:
- ๐ Data Privacy - Keeps security event data within your environment
- ๐ฐ Cost Efficiency - Eliminates API usage costs
- โ๏ธ Customization - Allows fine-tuning of models for security-specific tasks
To use Ollama with the Attenuator, set the URL to your Ollama instance:
features:
- attenuator
feature_options:
attenuator:
enabled: true
url: "http://localhost:11434/v1/chat/completions"
model: "deepseek-coder:latest"
๐ก Recommendation: Jibril recommends using the DeepSeek R1 : 14B model. It shows the best results with shorter inference times.
๐ Response Formatโ
The Attenuator provides rich context for each security event it analyzes:
{
...
"attenuator": {
"is_false_positive": true,
"new_importance": "low",
"interpretation": "The event involves the use of curl to access a URL on pastebin.com over HTTPS, which is a common and legitimate action for users retrieving data from pastebin. The command was executed by a user with UID 1000, indicating a non-root user, and there is no evidence of malicious intent or abnormal behavior in the process ancestry or file access patterns. The network flow shows a standard HTTPS connection to pastebin.com, which is not inherently suspicious. Therefore, this event is likely a false positive.",
"attenuated_by": "gpt-4o"
}
...
}
{
...
"attenuator": {
"is_false_positive": false,
"new_importance": "low",
"interpretation": "User rafaeldtinoco ran '/usr/bin/curl -q https://xvideos.com' from an interactive sshd/bash session. Egress TLS flows to xvideos.com resolved IPs 185.88.181.9 and .10 on 443 match the command. Typical TLS/CA files were read; no anomalous file writes or process injection observed. The activity is deliberate and accurately attributed to curl, confirming adult site access and not a sensor misfire.",
"attenuated_by": "gpt-5"
},
...
}
๐ฏ Use Casesโ
๐ซ Reducing Alert Fatigueโ
By filtering out false positives (in block mode).
๐ Prioritizing Alertsโ
Through accurate severity classification.
๐ Contextualizing Detectionsโ
Adding expert analysis to help security teams understand the significance of events.
โ๏ธ CI/CD Environmentsโ
Automatically filtering security events in automated workflows.
โ Best Practicesโ
๐งช Start with Amend/Reason Mode
Begin with "amend" or "reason" mode to evaluate the AI's judgments before using "block" mode.
๐ก๏ธ Temperature Settings
Use a higher temperature setting for more diverse analyses.
๐ Production Models
For production environments, consider using the most advanced AI model available.
๐ป Resource Allocation
When using private models, allocate sufficient resources for inference, especially for real-time security monitoring.