Viewing Results

Sandfly constantly looks at your Linux hosts for signs of compromise or other suspicious activity. Anything it finds is reported as an alarm for you to view and take action. Sandfly also keeps track of every time it checks a host and found it passed the check. This works as an auditing platform to show you the last time a system was checked and found to be clean.

Viewing Alerts

Alerts are shown as a list of hosts affected with associated Mitre ATT&CK tags plus other supporting data. Each row is clickable to get to the alert details.

Hosts with Alerts

Hosts with Alerts

To view alerts, simply click on row. This will take you to a detailed forensic view.

Complete Forensic View

Complete Forensic View

Forensic Data Viewer

The forensic data view of an alert has details about the alert. These details will include the hostname, IP address, and platform information. Additionally, you will see an explanation in plain English about what was found.

Mitre ATT&CK Details

Along with the alert information you will have links to the Mitre ATT&CK tag(s) that the attack falls under. Clicking on a tag will take you to the Mitre ATT&CK page describing the tactic in more detail.

Mitre ATT&ACK Tags

Mitre ATT&CK Details

Mitre ATT&CK Details

Along with the high-level tactic type, Sandfly will provide a specific ATT&CK ID of the tactic if one is available in the Mitre database.

Result Host View

Next to the explanation data is a summary view of the host. Clicking the View Host button takes you directly to the host registration data so you can see more about the operating system and other details.

Host Summary

Host Summary

Detailed Host View

Detailed Host View

Sandfly Hunter

Below an alert is the Sandfly Hunter mode. This mode allows you to search across all hosts for particularly important forensic data in an alert. This forensic data will vary depending on the alert type seen, but includes names, paths, cryptographic hashes and other information that can help you quickly see what other hosts may have that relates to the alert.

For instance, clicking on a suspicious process will show you cryptographic hashes of that process. You can then click on the Sandfly Hunter hash search and Sandfly will show you all hosts running that same process whether or not it generated an alert. Below we have found a suspicious process on one host, but clicking on that hash shows that multiple hosts were seen running that same process without alerts. This kind of search can help identify spread of malicious binaries, users, SSH keys and other important threat hunting data.

Sandfly Hunter Mode

Sandfly Hunter Mode

The Sandfly Hunter is a powerful feature and is discussed in further detail in the Sandfly Hunter section.

Results Action Buttons

The top of each result details includes three buttons with common actions for a result. These actions are:

  • Whitelist the event.
  • Delete the event.
  • Recheck the event.

Whitelist Event

Clicking on the Whitelist Sandfly button will whitelist this sandfly so it does not run on this host again. This should be used carefully and only when you are certain it is a true false alarm. The section on Whitelisting explains this process further.

Delete Event

Clicking the Delete button will delete this event and take you back to the results screen.

Recheck Event

Sometimes you may want to quickly check if an event is still happening on a system. The Recheck button sends you to the manual scan screen so you can check the host again to see if the alert activates again. If it does, then this can confirm the alert is still an issue. If you are experiencing a transient alert that you think is a false alarm but not something to be whitelisted, you can use the recheck button to confirm.

NOTE: Suspicious Problems Do Not Just Fix Themselves

Computers are not spontaneous. If a problem is found by Sandfly and then just vanishes it could be a false alarm. But then again, it may not. Suspicious activity that fixes itself is in itself suspicious.

Sandfly and False Alarms

The sandflies that do the investigations are written carefully to not have false alarms. However, if this is your first time running Sandfly it is possible that something in your environment configuration could cause a false alarm.

We suggest you treat any threats detected as real unless you can verify 100% they are not a problem. If you sure it is a false alarm and it is activating constantly, please see the section on Whitelisting to disable the offending module on this host.

After you whitelist the sandfly, please contact us if you think it is a genuine false alarm. We can help diagnose if it is a legitimate false alarm, or just something with your particular environment that cannot be avoided. If we determine it is a problem with the sandfly we will create a fix and get it posted in the next update.

NOTE: If A Sandfly Is Causing False Alarms for No Reason

If you find a sandfly that is always causing a false alarm, please let us know. If the false alarm is unique to your environment, it may not be something we can help with. But if it is not unique to your environment, we want to know so we can fix it and make Sandfly as reliable as possible.

Previous Article:

Next Article: