Should you have a rule exception due to unique aspects within your environment or get a false alarm for a sandfly, you can easily make a sandfly either no longer run against one or more hosts for future scans or no longer generate an alert by creating a whitelist.

Whitelists can be created at any time via the Add Whitelist button, which is found on the Whitelist Rules page. This advanced method uses Linux forensic attributes to allow you to build your own custom whitelists. Alternatively, whitelists can be quickly created by leveraging the data from a result. This simple method can be initiated in one of two ways from any Result Detail page.

Option 1 - Create Whitelist Tab

Use this option if you need flexibility by being able to choose a Whitelist Mode, which offers multiple prepared rules based on the result data. To create a whitelist using this method, first click on the Create Whitelist tab, then select the desired Whitelist Mode, and finally click on the Next - Review Whitelist button.

Create Whitelist Tab in Result DetailCreate Whitelist Tab in Result Detail

Option 2 - Sandfly Hunter

If targeting only one data point for that specific host, generating a whitelist can be quickly initiated by finding the desired entry within the Sandfly Hunter Data Points section and then clicking on the associated Whitelist button.

Whitelist via Sandfly Hunter

Whitelist via Sandfly Hunter

Either option takes you to the Add Whitelist page, which is populated with data from the originating result. From here you can review the rule and optionally modify it further.

Add Whitelist - Scoped by Host and Mode of DisableAdd Whitelist - Scoped by Host and Mode of Disable

Once everything is ready, click on the Save Whitelist button, which is located at the end of the form.

The new whitelist will be applied to future scan results, existing results will not be changed.

NOTE: Whitelists do not change existing results

Adding or modifying a whitelist will only apply to future scan results. Any existing results will not be affected. This can cause a former alert to now report as a "pass" result when using the whitelist pass mode.

Whitelist Tag

When a sandfly alert is affected by a whitelist, it will be indicated with a Whitelist tag, as shown here.

Whitelisted Result

Whitelisted Result

Clicking on the Whitelist tag opens the Whitelist Rules table, which lists all of the rules that are associated only to that sandfly.

Previous Article:

Next Article: