Custom Sandfly Operation

Custom sandflies can be cloned to enhance the system sandflies or create entirely new methods of security analysis that may be unique to your operational environment or use cases. Either way, they leverage the file, directory, log, process, user or other incident response analysis methods that the Sandfly system has to offer.

In general, "sandflies" are small JSON modules that are passed to the Sandfly agentless forensic engines to investigate remote systems. They also use regular expression (aka regex) in the options section of the JSON. Thus regex knowledge is valuable, especially for creating or modifying complex rules.

Sandflies Section in the Sidebar

Sandflies Section in the Sidebar


To see an unfiltered list of every sandfly that is available on the server, simply click on Sandflies option in the sidebar. Use the Presets button in the table's toolbar to quickly filter on commonly used views, including "Custom Only". The table's toolbar also provides buttons to Scan, Activate, Deactivate, or Delete selected sandflies en masse.


Depending on whether an existing sandfly or template is being reused or an entirely new one is being created from scratch, the web interface provides two ways to individually add a custom sandfly.

  1. Use the Clone button in the Actions column of the Sandflies table view or on any Sandfly details page.
    1. This method copies the corresponding JSON and adds it into the Add Custom Sandfly form.
    2. In order to save it, at minimum the value for "name" must be changed to something unique.
  2. Use the Add button on the Manage Sandflies action bar.
    1. This method comes populated with example JSON which can be extended or replaced entirely.

Please refer to the Custom Sandfly Creation documentation for further details for defining custom Sandflies.

Bulk Administration


Custom sandflies can be downloaded all at once via the web interface from the Download Custom Sandflies option found in the overflow menu of the Manage Sandflies action bar. Using that button will create a single, bulk-formatted JSON file which contains every custom sandfly that is on your server.


Custom sandflies can also be uploaded in bulk via a web browser from the Upload Custom Sandflies option found in the overflow menu of the Manage Sandflies action bar. The form requires a single, bulk-formatted JSON file, regardless if it contains one or multiple custom sandflies.

A bulk-formatted file contains each Sandfly individually encapsulated by an outer JSON bulk structure. An intact file can only be used for the bulk upload / download operations and not as an individual Sandfly JSON structure that is used by the "Add Custom Sandfly" feature. However, individual Sandfly JSON can be extracted from that file.


CAUTION: Bulk JSON files are structured differently than custom sandfly JSON

Custom Sandfly JSON contains an outer wrapper for the JSON file that is used for the up/downloading of the bulk operation, even for a single custom sandfly.

Malformed JSON and custom sandflies with a name of an existing system sandfly will be rejected. Uploading files that contain custom sandfly names that already exist will completely overwrite those sandflies. Names that do not exist at the time of the upload will create new custom sandflies.


IMPORTANT: Custom Sandflies With The Same Name Will Be Overwritten!

Ensure that custom sandfly names are unique. If a new or uploaded custom sandfly has the name of an existing custom sandfly, when saved it will completely overwrite the existing sandfly regardless of its content.