You can view all the sandflies present in the system by clicking on the Sandflies menu option. This will give a listing of all available sandflies along with a short description about what they do.

Sandfly Threat Hunting Modules Listing

Sandfly Threat Hunting Modules Listing

The quantity of sandflies that are loaded into the system is shown in bottom right corner of the table. Use the table filters or column sorting to aid in locating desired sandflies. Clicking on an individual row will open a page with further details about the selected sandfly.

Details about each column:

  • Active - Shows the state of use. A disabled sandfly will not be run in any scans, whether it is manual or automated with the scheduler.  See the section on Activating and Deactivating Sandflies for more information.
  • Type - What category of sandfly it is (file, directory, etc.).
  • Name - Name of the sandfly.
  • Description - A short description of what the sandfly does.
  • Custom - Shows if it is a custom sandfly or not.
  • Tags - Sandfly type or Mitre ATT&CK tags to help categorize the threat type.
  • Response - The response action enabled, not enabled or not available for the sandfly.

NOTE: Sandfly Timeout Protection

Sandfly has an internal timeout mechanism that will safely stop a sandfly that is taking too long to run. If this happens you will see the error under Results > Errors as a timeout condition.

Many sandflies run in under a second, but some of the Incident Response sandflies can take longer to run and could be up to several minutes depending on what they are doing. Incident Response sandflies must be manually selected to run and are never run as part of an automated scan to prevent system impacts.

Previous Article:

Next Article: