Sandfly Blog

Sandfly 5.3.0 features a major UI overhaul with our new Linux host forensics and data views. We’ve not only brought critical host data front and center for rapid incident investigation, but expanded threat coverage, added in Microsoft Sentinel support, and increased performance across the board.

Host-Centric Forensic and Data Views

A powerful feature of Sandfly is our ability to agentlessly collect a vast amount of Linux forensics and telemetry data on any system we monitor. Whether the system is a decade old, modern cloud, on-prem, or embedded, chances are very high that Sandfly can monitor it. With Sandfly 5.3 we are making this quality information visible with a new intuitive and fast host-centric view.

With host-centric views users can not only see alerts quickly, but other host operations such as processes running, users present, scheduled tasks, SSH keys, and more are also instantly available. Security teams investigating an incident now have immediate access to critical host details at their fingertips to make faster decisions about threats.

The new host view gives users a unified dashboard as seen below.

Here are some examples of the data available to users under the unified host view.

Alerts with Layered Forensics

We have improved alert views by optimizing screen real estate and access to alert forensics.

Processes

Teams can immediately see every process running on a system, who owns it, and related details.

Network Listening Services

All listening network services are shown separately from the general process list to quickly spot potential threats running on a host.

Users and Attributes

All users, their login shells, password status, and more are instantly visible.

Kernel Modules

Active and inactive kernel modules can be reviewed instantly.

SSH Keys, SSH Security Zones, and SSH User Data

SSH keys, users with keys, and SSH Security Zone status is immediately visible. Views into key access allows fast and easy identification of who is accessing a host.

Cron and Systemd Scheduled Tasks

Identify persistence risks in crontab and systemd with simple and easy scrolling of what they are running.

System Hardware and Drive Status

See CPU and drive status of all systems, even those without traditional system performance monitoring solutions.

Support for LDAP and Active Directory Users

We now scan users authenticating to Linux systems using LDAP, Active Directory, and similar services. Users logging in without an account under traditional /etc/passwd will have their directories and data scanned as if they were a local user. This means that threats present in remotely mounted home directories will be found, and SSH key data to track access to systems will also be indexed. 

Faster

Many speed increases have been made to our forensic engines and result ingestion pipelines. Speed increases of several hundreds of percent were achieved making result processing faster and on-host performance even lower impact than before.

New Detections

We have added many detections to cover more Linux backdoors, rootkits, and suspicious process activity:

• Malicious /etc/motd scripts.
• Wider backdoor persistence detection in system scripts and user profiles.
• New recon checks in critical directories such as at jobs, crontabs, boot areas, and kernel module configurations for drift detection.
• Checks for malicious, hidden, or suspicious XDG autostart files and directories.
• SUID or SGID shells operating on a host. 
• Processes running with command line self exe references (e.g. /proc/self/exe).
• Malicious or suspicious backdoor references inside systemd units.
• SUID files under a user’s home directory.
• Shell masquerading with SUID or SGID root permissions.
• Processes running as SUID from a user's home directory.
• Cloaked directories under kernel module configuration areas (e.g. /etc/modules-load.d).
• Expanded and optimized SSH private key search to find unencrypted or exposed keys.
• Detecting processes running as a file descriptor. 
• Search inside compressed log files if desired by the user.
• Detect processes running with deleted process maps.
• Detect processes accessing memory space of themselves or another process.

Microsoft Sentinel Integration

We have added Microsoft Sentinel integration so Sandfly alerts can be directly sent to the Sentinel platform. This capability goes alongside our existing support for Splunk, Elastic, and syslog for result replication in addition to our existing REST API methods.

Sandfly is able to access many more systems than traditional agents. The data we collect and export is extremely valuable and augments networks running agent-based solutions that often have large visibility gaps on Linux.

Get a Free License Today

If you have not tried Sandfly, get your free license below:

Get Sandfly

Upgrading Sandfly

All customers are encouraged to upgrade to see our expanded host view and get a better handle on what their systems are running.

We are here to help with any questions. Please see our documentation on the new features and capabilities:

Sandfly Documentation

Customers wishing to upgrade can follow the instructions here:

Upgrading Sandfly

If you have any questions, please reach out to us.

Thank you for using Sandfly.