eBPF passive AI discovery¶
eBPF passive capture is a last-resort discovery path for customers that do not have EDR, CASB, DNS, or firewall telemetry available.
Release state
This guide documents the optional ebpf_passive_capture connector contract.
It is disabled by default and requires explicit customer authorization
before any capture is enabled.
Required authorization¶
The connector requires these safeguards:
| Capability | Purpose |
|---|---|
customer_authorized |
Confirms the customer authorized passive capture. |
daemonset_optional |
Keeps deployment optional rather than required. |
tcp_connection_metadata_only |
Restricts capture to connection metadata. |
tls_payload_parsing_forbidden |
Confirms payload parsing and storage are forbidden. |
Setup¶
- Confirm the legal and security approval for passive metadata collection.
- Configure provider IP ranges in
ARGMIN_EBPF_PROVIDER_IP_RANGES. - Set
ARGMIN_EBPF_CAPTURE_CUSTOMER_AUTHORIZED=trueonly after approval is recorded. - Set
ARGMIN_EBPF_CAPTURE_ENABLED=trueonly for the approved environment. - In Venturi, open Administration -> Connectors -> eBPF passive capture and run Test connection.
Verification¶
- The connector is disabled until both enabled and customer-authorized flags are set.
- Output contains TCP connection metadata only: destination IP, port, host, and timing fields.
- TLS payload fields are absent and
tls_payload_capturedis false. - Observations carry a low-confidence discovery label, not chargeback-ready attribution.
Rotation and offboarding¶
Review authorization on every renewal cycle. To offboard, disable the connector and remove the optional capture deployment from the approved environment.