Sandfly is written to have an extremely low chance of false alarms. However, in some environments you may have a configuration that can cause a sandfly to alert repeatedly when it should not.

In these cases you have two options when using Sandfly version 4.5.0 or older:

  1. Whitelist that sandfly for that particular host so that it never activates but is still active for all other systems.

  2. Disable the sandfly entirely so that it does not run against any of your hosts.

Beginning with Sandfly version 4.6.0, whitelisting provides far more flexibility. The expanded feature allows you to define whitelisting rules that apply to either all hosts or selected hosts and/or host tags and which either disables a sandfly from running or converts the alert into a pass result. The next two articles cover whitelisting from the UI in more detail.

Previous Article:

Next Article: