Sandfly allows you to easily send out any alerts to an email or syslog destination. Any new threat detected by Sandfly will be sent out immediately to these endpoints.
Sandfly can send alerts out for any new threat it detects to a log aggregation tool of your choice over syslog. These alerts will have the identical rich structured text you see in the Sandfly forensic viewer, but can be viewed in the monitoring UI of your choice.
In order to prevent flooding your email inbox with duplicate alarms, Sandfly only sends the first alarm seen on a host for the detected threat.
For instance, if Sandfly activates on a suspicious process running out of /tmp you will receive an alert the first time it shows up. This will be the only alert you receive until you clear that particular alarm on Sandfly. If the alert shows up many times, and has not been cleared from the Sandfly UI, you will not receive any more alarms until the original alert is cleared and it activates again.
At the same time if a different Sandfly alert comes in on the same host, you will receive new alerts for that new threat. But again, duplicates of the same alarm on the same host will not be sent until the original alarm has been cleared.
The above only applies to email alerts. For syslog, all alerts are always sent whether they are duplicates of older alarms or not.
Sandfly won't send manually generated scan alerts to email to again prevent flooding in boxes. However, manually generated scans will send alerts to syslog.
Updated 2 months ago