The dashboard of Sandfly is simple. Green all is well. Red there is a problem. Sandflies are written to not bother you with false alarms. If there’s an alert, then it’s important.
Adding hosts to Sandfly is simple and fast. You can add an IP list or put in a net block and Sandfly will scan it and add hosts where it was able to login automatically. You don’t need to do anything on the hosts you want monitored other than have valid SSH credentials. SSH credentials are stored securely with public key encryption and cannot be recovered from the database once added.
After hosts are added, you can view operating system details about each one. This is useful for inventory and baseline purposes during an investigation.
You can now perform an initial manual scan to make sure everything looks fine on your systems. Sandfly will run the selected sandflies across the hosts and report back findings. No news is good news.
You can run scans manually whenever you feel like it. However, the real power of Sandfly comes from the next step where we schedule an automated presence of sandflies to be used across all your hosts.
Sandfly was designed from the ground up to search for attackers. We employ tactics to be fully automated and random to make evasion more difficult.
Because of the above, the scheduling system in Sandfly works differently than what you may be used to. Instead of scheduling big monolithic scans at 3AM each morning for instance, you instead tell Sandfly to schedule small, fast, and random investigations to happen all day long.
Dividing compromise detection into small random tasks is the best way to provide security coverage that won’t impact your remote systems like monster monolithic scanners can do. In fact, Sandfly’s impact on hosts is so low you can have frequent scans throughout the day and never know they are happening.
Once you setup a random schedule, you can put in email alerts or output to your favorite log monitor. Sandfly contains rich structured data of the results that is identical to what you see in the Sandfly UI. This means what you see in our UI will be the same as you see in Kibana, Splunk, Graylog, etc.
For example, Sandfly data can be viewed easily in Kibana with our native Elasticsearch output. We also support Splunk with our free Splunk App. Alarms exported from Sandfly contain all the data you need to make informed decisions about your Linux fleet.
Sandfly has an easy to use forensic viewer if alerts are detected. Sandfly always provides a plain English description of the issue with supporting details to put you onto intruders quickly.
Malware Analysis And Assistance
Once the presence of malware is detected, hunters and investigators can drill down to see other related data detected by other sandflies for a picture of the entire exploit and impact.
Custom Sandfly Modules for Incident Response
Sandfly allows custom modules so security teams can create their own threat hunting methods. Or, users can clone any of over 1,000 built-in modules using Sandfly’s extensive Linux forensics and investigation library.