Forensics Keyword List

This section covers forensics keyword information.

JSON Keywords for Linux Forensic Data
Sandfly Forensic Keyword List This section lists out the forensic data Sandfly can return as part of its results. In the UI you will see this data in th...
Mon, 27 Dec, 2021 at 10:05 AM
Header Data
The data header is attached to all result sets. It contains data of the sandfly execution on the remote host. This will have information such as the UID the...
Mon, 27 Dec, 2021 at 10:15 AM
Operating System Data
Data under the operating system keys is collected when you first add a host, or if a previously unseen host was discovered. Each time Sandfly logs into a ho...
Mon, 27 Dec, 2021 at 10:18 AM
Explanation Data
This is a string field that has an explanation of what the alert is if provided by Sandfly or by the user if they wrote a custom Sandfly. { "expl...
Mon, 27 Dec, 2021 at 10:25 AM
File Data
The file data contains all attributes about a file that was flagged by Sandfly Security or a user defined sandfly for whatever reason. All attributes will b...
Mon, 27 Dec, 2021 at 10:26 AM
Directory Data
Directory data is like file data in that it provides all attributes of a directory flagged by Sandfly Security of a user for whatever reason. The attributes...
Mon, 27 Dec, 2021 at 10:29 AM
Process Data
Process data contains all attributes about a process that was flagged by Sandfly Security or the user for whatever reason. It will contain not only process ...
Mon, 27 Dec, 2021 at 10:32 AM
User Data
User data contains key elements of a user account on the remote host. This will include relevant details about their login name, GECOS fields, SSH keys, etc...
Mon, 27 Dec, 2021 at 10:34 AM
Lastlog Data
Lastlog data will contain an entry normally from /var/log/lastlog on the remote host for the user account flagged. Lastlog contains the last login time of t...
Mon, 27 Dec, 2021 at 10:36 AM
UTMP Log Data
UTMP data will contain the data for currently logged in users reported typically under /var/run/utmp. The UTMP file will reveal logged in users and location...
Mon, 27 Dec, 2021 at 10:41 AM