The Results Viewer allows you to see alerts, passed checks and non-fatal errors. The viewer has a built in filter to allow you to quickly create views to get to the data you need.
Sandfly Alert Results
Sandfly will show three result event types from its scans:
- Alerts - Security Alerts with forensic data.
- Pass - Results of a security check that passed with no findings.
- Errors - Errors during the scan that are non-fatal describing what the problem was.
Alert events are the primary concern for Sandfly as they will show hosts that are compromised or behaving in unusual ways that need to be investigated.
Pass events are primarily for auditing purposes. They show that Sandfly investigated the host for that particular threat but found nothing. This can be useful for showing a timeline of events leading up to a compromise or establishing compliance with various security policies.
Errors are non-fatal events that happened during a scan. For instance Sandfly might have tried to look for a particular log file but it was missing. These errors are not fatal and the scan simply reports what happened and carries on. If the error resolves the next time Sandfly looks you will not see it again. Otherwise, the error will be reported again on the next check.
Sandfly automatically prunes old results after a period of time from the internal database. The length of time various depending on the license type you have. If you are sending events to an external replication database, then it is your responsibility for rotating and expiring events.