## Programmable JavaScript Reactions to OS Security Events
We've just released Jibril v2.4 with a new "Reactions" system that fundamentally changes how runtime security works. Instead of just detecting and alerting, you can now write JavaScript code that automatically executes in response to real-time OS security events.
## How it works
Jibril monitors the OS (file access, process execution, network activity, specific kernel logic) and when security events match detection rules, after being printed to enabled printers, JavaScript reactions are triggered. They run in isolated V8 contexts with direct access to system operations:
```javascript function process(data) { // Multi-stage response to crypto miner detection if (data.file.basename.match(/^(xmrig|ethminer|cgminer)$/)) { Error("Crypto miner detected: " + data.process.cmd);
// Immediate containment
KillCurrent(); // Terminate process
NetBlockIp(); // Block network
// Evidence collection
let dir = CreateTempDir("miner-incident-*");
let evidence = {
timestamp: new Date().toISOString(),
process_ancestry: data.base.background.ancestry,
command_line: data.process.cmd
};
WriteFile(dir + "/evidence.json", JSON.stringify(evidence));
// Track incidents
let count = parseInt(DataGet("miners_terminated") || "0") + 1;
DataSet("miners_terminated", String(count));
Info("Miner #" + count + " terminated and blocked");
}## Technical capabilities
Jibril provides a comprehensive API with 25+ helper functions:
- Process management: `KillCurrent()`, `KillParent()`, `KillProcess(pid)` with safety controls - Network policy: `NetBlockIp()`, `NetBlockDomain()`, `NetBlockIpTimer()` for real-time blocking - File operations: `ReadFile()`, `WriteFile()`, `CreateTempDir()` with secure permissions - Data persistence: Key-value store surviving across executions - Emergency controls: `PowerOff()`, `Panic()` for critical threats
Each reaction runs in isolated V8 context with error handling, executes in milliseconds, handles concurrent execution automatically, and provides audit trails.
Check examples: https://github.com/garnet-org/jibril-wahy/tree/main/jibril/tests
## Beyond simple automation
The programmability enables sophisticated logic:
- Graduated responses: Start with logging, escalate to blocking, terminate as last resort - Context-aware decisions: Block external IPs but whitelist internal infrastructure - Cross-event correlation: Track patterns across multiple security events - Custom evidence collection: Automatically gather exactly the forensic data you need
Reactions are defined in YAML alongside detection rules, so response logic stays coupled with detection logic. Start conservative and gradually increase automation.
## Why this approach matters
Traditional tools detect threats but still require human analysts to respond. This creates a gap where threats continue running while humans investigate. By making response programmable and immediate, you can stop threats in their tracks while maintaining human oversight.
The isolation model means reactions can safely perform powerful operations (including system shutdown) without risking the host system if JavaScript code has bugs.
## Full documentation:
- https://jibril.garnet.ai/customization/reactions - https://jibril.garnet.ai/customization/alchemies - https://jibril.garnet.ai/customization/attenuator
Have fun!