External Alerting

Sandfly allows you to easily send out any alerts to an email or syslog destination. Any new threat detected by Sandfly will be sent out immediately to these endpoints.

Sandfly can send alerts out for any new threat it detects to a log aggregation tool of your choice over syslog. These alerts will have the identical rich structured text you see in the Sandfly forensic viewer, but can be viewed in the monitoring UI of your choice.

Sandfly Only Sends Notifications Once

Sandfly sends a notification only for the initial occurrence of an alert seen on a host for the detected threat.

For instance, if Sandfly activates on a suspicious process running out of /tmp you will receive an alert the first time it shows up. This will be the only alert you receive until you clear that particular alarm on Sandfly. If the alert shows up many times, and has not been cleared from the Sandfly UI, you will not receive any more notifications until the original alert is cleared and the alert reoccurs.

At the same time, if a different Sandfly alert comes in on the same host, you will receive a notification for that new threat. But again, duplicates of the same alarm on the same host will not be sent until the original alarm has been cleared.

Sandfly Will Not Send Alerts From Manual Scans To Email

Sandfly will not send alerts from manually generated scans to email in order to prevent inbox flooding. However, manually generated scans will send alerts to syslog.