Custom sandflies can be cloned to enhance the system sandflies or create entirely new methods of security analysis that may be unique to your operational environment or use cases. Either way, they leverage the file, directory, log, process, user or other incident response analysis methods that the Sandfly system has to offer.

In general, "sandflies" are small JSON modules that are passed to the Sandfly agentless forensic engines to investigate remote systems. They also use regular expression (aka regex) in the options section of the JSON. Thus regex knowledge is valuable, especially for creating or modifying complex rules.

Sidebar Options for the Sandflies SectionSidebar Options for the Sandflies Section


To access a table view of sandflies, use the All Sandflies sub-menu option or simply click on Sandflies in the sidebar. Both methods will open a page that, by default, provides an unfiltered list of every sandfly that exists on the server. Use the Presets button in the table's header to quickly filter on commonly needed views, including "Custom Only". The table header also provides buttons to Activate, Deactivate, or Delete selected sandflies en masse.


Depending on whether an existing sandfly or template is being reused or an entirely new one is being created from scratch, the web interface provides two ways to individually add a custom sandfly.

  1. Use the Clone button in the Actions column of the Sandflies table view or on any Sandfly Details page.
    • This method copies the corresponding JSON and adds it into the Add Custom Sandfly form.
    • In order to save it, at minimum the value for "name" must be changed to something unique.
  2. Use the Add Custom Sandfly menu option in the sidebar or the button of the same name in the view page.
  • This method comes populated with example JSON which can be extended or replaced entirely.

Please refer to the Custom Sandfly Creation documentation for further details for defining custom Sandflies.

Bulk Administration


Starting with Sandfly version 4.3, custom sandflies can be downloaded via the web interface from the Download Custom Sandflies button found on the Sandflies view. Using that button will create a single, bulk-formatted JSON file which contains every custom sandfly that is on your server.


Starting with Sandfly version 4.3, custom sandflies can also be uploaded in bulk via a web browser from the Upload Sandflies menu option in the sidebar. The form requires a single, bulk-formatted JSON file, regardless if it contains one or multiple custom sandflies.

A bulk-formatted file contains each Sandfly individually encapsulated by an outer JSON bulk structure. An intact file can only be used for the bulk upload / download operations and not as an individual Sandfly JSON structure that is used by the "Add Custom Sandfly" feature. However, individual Sandfly JSON can be extracted from that file.

NOTE: Bulk JSON files are structured differently than custom sandfly JSON

Custom Sandfly JSON contains an outer wrapper for the JSON file that is used for the up/downloading of the bulk operation, even for a single custom sandfly.

Malformed JSON and custom sandflies with a name of an existing system sandfly will be rejected. Uploading files that contain custom sandfly names that already exist will completely overwrite those sandflies. Names that do not exist at the time of the upload will create new custom sandflies.

WARNING: Custom Sandflies With The Same Name Will Be Overwritten!

Ensure that custom sandfly names are unique. If a new or uploaded custom sandfly has the name of an existing custom sandfly, when saved it will completely overwrite the existing sandfly regardless of its content.

Previous Article:

Next Article: