The Results Viewer presents a wide array of information in a data table format. Through its toolbar features you can filter and display data in flexible ways to suite any role or situation. Presets are provided to quickly break results down by alerts, passed checks or non-fatal errors.
Sandfly Alert Results
The web interface provides a few ways to view grouped results. The following options are provided under the Results section in the side bar:
- Results by Host (default) - Alerts are grouped by hosts, this aids in seeing the most troublesome devices.
- All Results - The information is not grouped, though the data is initially filtered for Alert events.
Sandfly will show three result event types from its scans:
Alert events are the primary focus for Sandfly as they will show forensic data from hosts that are compromised or behaving in unusual ways that need to be investigated.
Pass events are primarily for auditing purposes. They show that Sandfly investigated the host for that particular threat but found nothing. This can be useful for showing a timeline of events leading up to a compromise or establishing compliance with various security policies.
Errors are non-fatal events that happened during a scan. For instance Sandfly might have tried to look for a particular log file but it was missing. These errors are not fatal and the scan simply reports what happened and carries on. If the error resolves the next time Sandfly looks you will not see it again. Otherwise, the error will be reported again on the next check.
Sandfly automatically prunes old results after a number of days as determined by the Data Retention server setting. The configurable range is affected by the type of license. If you are sending events to an external replication database, then it is your responsibility for rotating and expiring events.