Sandfly 3.3.0 has been released with major updates across the board. Some of the new features include:
Single Sign-On (SSO) support
Configurable data retention period
Unconventional/obfuscated IP detection signatures
Host scanning compatibility improvements
Improved email notification support
API example scripts
Sandfly Enterprise licensed users can now use SSO with Sandfly. The new SSO configuration option allows for easy setup and connection to your chosen SSO provider:
Once configured with your SSO information, you can add users with admin or user roles:
All Sandfly code is now verified by Veracode to a very strict standard for secure coding and vulnerabilities. Certification for each build is available to customers who wish to review the details and our proactive security stance.
Users can now access reports showing historical scan status over time and host asset views. The host asset view will show you critical information about your Linux systems such as:
Linux distribution name
Linux kernel version
Online/offline status and more
Scan performance reports will show information such as:
Total scans completed over time
Total alerts/pass/error events
Number of Sandfly checks run across all hosts
Hourly performance graphs
Alerts by Mitre ATT&CK and Sandfly Type
The new reporting features also allows you to easily print or save reports as PDF format as needed.
Fully licensed users can set the period of time to retain data inside Sandfly. The old limit was set to 72 hours, but now you can extend this time out to 31 days if desired (and your drive space allows).
Just like with our Elasticsearch support, customers can now setup an external Postgres database to take in alerts for long-term storage and analysis independent of Sandfly. Customers wishing to retain data for threat hunting, trend analysis or more can now easily send this data to Postgres to analyze and retain indefinitely.
Did you know the following are legitimate URLs for the IP address 192.168.0.1?
Obfuscating an IP address with hex, octal or binary is virtually always malicious regardless of the IP address. We'll now tell you when we see it on your hosts. We sweep critical system areas such as the following for signs that someone is trying to use an obfuscated IP address:
System init scripts
System rc scripts
At job entries
Sandfly will alert you if we see this activity in critical areas like below:
We have made many improvements across all Sandfly modules to make detection wider and evasion harder. REGEX has been optimized as well to make it faster and more accurate.
We have new checks to find SSH private keys hanging out in the root user's home directory. Plus, new policy and incident response checks that will sweep for private keys under any user's home directory on the system.
SSH private keys can be a large security threat and easily enable lateral movement. Sandfly can let you know if critical systems have SSH keys where they shouldn't be.
We have made changes to home directory discovery algorithms inside Sandfly. Sandfly will now try multiple areas to initiate a scan when we discover a host. The discovery will try standard user home directories first and then fall back to /dev/shm if a suitable area cannot be found. This update means we now work across systems with NFS mounted home directories or home directories with restricted execution access.
We have improved e-mail notifications which support a wider range of authentication types. We have also included sample scripts in the setup directory to demonstrate how to use the Sandfly API from the command line. The scripts can be used to help with SOAR playbook automation and more.
Further, start-up scripts will now auto-tune Postgres parameters based on available CPU and RAM in the Sandfly server for optimal performance out of the box.
All free and paid customers can upgrade today. Please see the upgrade documentation for instructions on how to quickly and easily upgrade.
Sandfly v3.3 is still offered for free to help you immediately start monitoring and protecting your Linux fleet. Get it online now with an instant no-obligation license.