Sandfly Forensic Keyword List This section lists out the forensic data Sandfly can return as part of its results. In the UI you will see this data in th...

The data header is attached to all result sets. It contains data of the sandfly execution on the remote host. This will have information such as the UID the...

Data under the operating system keys is collected when you first add a host, or if a previously unseen host was discovered. Each time Sandfly logs into a ho...

This is a string field that has an explanation of what the alert is if provided by Sandfly or by the user if they wrote a custom Sandfly. { "e...

The file data contains all attributes about a file that was flagged by Sandfly Security or a user defined sandfly for whatever reason. All attributes will b...

Directory data is like file data in that it provides all attributes of a directory flagged by Sandfly Security of a user for whatever reason. The attributes...

Process data contains all attributes about a process that was flagged by Sandfly Security or the user for whatever reason. It will contain not only process ...

User data contains key elements of a user account on the remote host. This will include relevant details about their login name, GECOS fields, SSH keys, etc...

Lastlog data will contain an entry normally from /var/log/lastlog on the remote host for the user account flagged. Lastlog contains the last login time of t...

UTMP data will contain the data for currently logged in users reported typically under /var/run/utmp. The UTMP file will reveal logged in users and location...