Adding Schedule

Adding a Schedule

Adding a scheduled is simple.

Adding a Sandfly scan schedule.Adding a Sandfly scan schedule.

Adding a Sandfly scan schedule.

Click on the Add button and fill in the following fields:

Name - Name of this schedule to help you know what it is.
Priority - What priority level to run the scan on the remote hosts.
Scan All - Scan all hosts registered.
Scan Hosts By Tag - Scan only hosts with the specified tags.
Sandfly Types - The sandfly types you want run on this schedule.
Timer Lower Limit - The minimum time to wait between running this schedule in minutes.
Timer Upper Limit - The maximum time to wait between running this schedule in minutes.
Selection Percentage - The random percentage of sandflies you want run each time.

Name

The name is simply something for you to know what the schedule is. You can call it for instance "process_check" if you are only looking for process attacks. Or you can call it "60-90" for a check that happens every 60-90 minutes.

Priority

The priority field allows you to control how many resources the scan uses on the remote systems during a check. The priority internally uses Linux convention for how nice the process should be.

For Sandfly, we use a Linux medium low priority of 10 for the default. This is sufficient to ensure Sandfly runs and systems which are under heavy load are not strained by security sweeps vs. their primary tasks.

You can run this at a Low Priority which would be level 20 on Linux, but this is seldom required. The High Priority runs at a normal system priority of "0" on the remote systems to ensure Sandfly never interferes with system operations by prioritizing itself over other tasks.

We recommend you keep this value as the default unless you are getting timeout errors. Timeout errors would only happen under very overloaded systems. In this case you may want to experiment with setting the priority to the High Priority to see if it fixes the issue. However it could just be the remote system should be upgraded as it's being worked too hard regardless of Sandfly running or not.

Scan All or Scan Hosts by Tag Name

Selecting Scan All tells Sandfly to run the scheduled scans against all registered hosts. This is a good setting for smaller deployments.

Scanning hosts by tag name.Scanning hosts by tag name.

Scanning hosts by tag name.

Optionally you can setup a scan by host tag. This means if you had a group of hosts labeled "www" for your webservers you can setup a schedule just for them. Then you could have another group tagged "development" for development systems, etc. Any hosts with the selected tag will be included in the scan group when it executes.

Sandfly Types

Sandfly types are what kind of sandflies you want to run. You can for instance have a schedule just for file checks, one for process checks, and one for the rest. You can have these schedules run on different times if you want. Or, you can run them all at once as the example above shows.

As will be discussed under Custom Sandflies, your custom sandflies will be run out of the schedule as well depending on what type you have given them (file, process, directory, user, or log)

It is not possible to run Incident Response sandflies as part of a schedule.

The incident type is a special sandfly designed for deeper inspection such as for incident response. They can cause CPU and disk activity spikes on the remote hosts that could be noticed. Sometimes you may get a false positive due to how the sandflies work (they bias towards reporting the slightest thing wrong vs. being more discriminating).

📘

Sandfly Schedules For Different Sandfly Types

You can have multiple schedules for different sandfly types. For instance the process check sandflies are generally really fast and low impact. You could set them up to run frequently. The disk check sandflies are still pretty fast, but slower than process checks. You can have them run less frequently. Play around with the scheduling and you'll soon figure out what kind of impact it has and what works for your network.

Lower Time Delay

The lower time is the absolute minimum to wait between scans. For instance you can put in a value of 30 in here. That tells Sandfly to never run this schedule sooner than 30 minutes from the last time it was run.

Upper Time Delay

The upper time delay is the maximum time to wait for this schedule. For instance you can put in 60 minutes here and that tells Sandfly to never wait more than 60 minutes to run this scheduled check.

Sandfly types are what kind of sandflies you want to run. You can for instance have a schedule just for file checks, one for process checks, and one for the rest. You can have these schedules run on different times if you want. Or, you can run them all at once as the example above shows.

As will be discussed under Custom Sandflies, your custom sandflies will be run out of the schedule as well depending on what type you have given them (file, process, directory, user, or log)

It is not possible to run Incident Response sandflies as part of a schedule.

The incident type is a special sandfly designed for deeper inspection such as for incident response. They can cause CPU and disk activity spikes on the remote hosts that could be noticed. Sometimes you may get a false positive due to how the sandflies work (they bias towards reporting the slightest thing wrong vs. being more discriminating).

Sandfly Selection Percentange

The sandfly selection percentage tells sandfly to select a percentage of sandflies from the sandfly type pools indicated.

For instance if you activate all sandflies and choose 25%, then Sandfly will randomly select 25% of the sandflies in the user, directory, file, log, and process types. It will then run those when the schedule indicates.

You can select a lower figure like 10% if you want even lower impact on your remote hosts. You can then combine this with a shorter time window for more frequent but fewer checks all day.

Likewise, you can put it at 100% and force Sandfly to run all sandflies on the schedule. This is not what we recommend, but it can be done if you want to do a really intense scan at longer intervals.


Did this page help you?