Forensics Keyword List
This section covers forensics keyword information.
Sandfly Forensic Keyword List This section lists out the forensic data Sandfly can return as part of its results. In the UI you will see this data in th...
Wed, 26 Jul, 2023 at 4:48 PM
The data header is attached to all result sets. It contains data of the sandfly execution on the remote host. This will have information such as the UID the...
Wed, 26 Jul, 2023 at 6:07 PM
Data under the operating system keys is collected when you first add a host, or if a previously unseen host was discovered. Each time Sandfly logs into a ho...
Wed, 26 Jul, 2023 at 6:05 PM
This is a string field that has an explanation of what the alert is if provided by Sandfly or by the user if they wrote a custom Sandfly. {
"expl...
Wed, 26 Jul, 2023 at 6:04 PM
The file data contains all attributes about a file that was flagged by Sandfly Security or a user defined sandfly for whatever reason. All attributes will b...
Wed, 26 Jul, 2023 at 6:03 PM
Directory data is like file data in that it provides all attributes of a directory flagged by Sandfly Security of a user for whatever reason. The attributes...
Wed, 26 Jul, 2023 at 6:02 PM
Process data contains all attributes about a process that was flagged by Sandfly Security or the user for whatever reason. It will contain not only process ...
Wed, 26 Jul, 2023 at 6:00 PM
User data contains key elements of a user account on the remote host. This will include relevant details about their login name, GECOS fields, SSH keys, etc...
Wed, 26 Jul, 2023 at 6:16 PM
Lastlog data will contain an entry normally from /var/log/lastlog on the remote host for the user account flagged. Lastlog contains the last login time of t...
Wed, 26 Jul, 2023 at 5:54 PM
UTMP data will contain the data for currently logged in users reported typically under /var/run/utmp. The UTMP file will reveal logged in users and location...
Wed, 26 Jul, 2023 at 5:42 PM