Sandfly constantly looks at your Linux hosts for signs of compromise or other suspicious activity. Anything it finds is reported as an alarm for you to view and take action. Sandfly also keeps track of every time it checks a host and found it passed the check. This works as an auditing platform to show you the last time a system was checked and found to be clean.
Alerts are shown as a list of hosts affected with associated Mitre ATT&CK tags plus other supporting data. Each row is clickable to get to the alert details.
Hosts with Alerts
To view alerts, simply click on row. This will take you to a detailed forensic view.
A list of sandfly alerts and alert counts
Forensic Data Viewer
The forensic data view of an alert has details about the alert. These details will include the host name, IP address and platform information. Additionally, you will see an explanation in plain English about what was found.
Mitre ATT&CK Details
Along with the alert information you will have links to the Mitre ATT&CK tag the attack falls under. Clicking on these tags will take you to the Mitre ATT&CK page describing the tactic in more detail.
Mitre ATT&CK Details
Along with the high-level tactic type, Sandfly will provide a specific ATT&CK ID of the tactic if one is available in the Mitre database.
Result Host View
Next to the explanation data is a summary view of the host. Clicking the View Host button takes you directly to the host registration data so you can see more about the operating system and other details.
Result Summary Host View
Detailed Host View
Below an alert is the Sandfly Hunter mode. This mode allows you to search across all hosts for particularly important forensic data in an alert. This forensic data will vary depending on the alert type seen, but includes names, paths, cryptographic hashes and other information that can help you quickly see what other hosts may have that relates to the alert.
For instance, clicking on a suspicious process will show you cryptographic hashes of that process. You can then click on the Sandfly Hunter hash search and Sandfly will show you all hosts running that same process whether or not it generated an alert. Below we have found a suspicious process on one host, but clicking on that hash shows that multiple hosts were seen running that same process without alerts. This kind of search can help identify spread of malicious binaries, users, SSH keys and other important threat hunting data.
Sandfly Hunter mode
The Sandfly Hunter is a powerful feature and will be discussed in its own section.
Results Action Buttons
The top of each result details includes three buttons with common actions for a result. These actions are:
- Whitelist the event.
- Recheck the event.
- Delete the event.
Clicking on the whitelist button will whitelist this sandfly so it does not run on this host again. This should be used carefully and only when you are certain it is a true false alarm. The section on Whitelisting explains this process further.
Clicking Delete will delete this event and take you back to the results screen.
Sometimes you may want to quickly check if an event is still happening on a system. The recheck button sends you to the manual scan screen so you can check the host again to see if the alert activates again. If it does, then this can confirm the alert is still an issue. If you are experiencing a transient alert that you think is a false alarm but not something to be whitelisted, you can use the recheck button to confirm.
NOTE: Suspicious Problems Do Not Just Fix Themselves Computers are not spontaneous. If a problem is found by Sandfly and then just vanishes it could be a false alarm. But then again, it may not. Suspicious activity that fixes itself is in itself suspicious. Please see the section on Interpreting Alarms for more information.
Sandfly and False Alarms
The sandflies that do the investigations are written carefully to not have false alarms. However, if this is your first time running Sandfly it is possible that something in your environment configuration could cause a false alarm.
We suggest you treat any threats detected as real unless you can verify 100% they are not a problem. If you sure it is a false alarm and it is activating constantly, please see the section on Whitelisting to disable the offending module on this host.
After you whitelist the sandfly, please contact us if you think it is a genuine false alarm. We can help diagnose if it is a legitimate false alarm, or just something with your particular environment that cannot be avoided. If we determine it is a problem with the sandfly we will create a fix and get it posted in the next update.
NOTE: If A Sandfly Is Causing False Alarms for No Reason If you find a sandfly that is always causing a false alarm, please let us know. If the false alarm is unique to your environment, it may not be something we can help with. But if it is not unique to your environment, we want to know so we can fix it and make Sandfly as reliable as possible.