Introduction

Drift profiles allow you to use the results of a scan from one or more hosts for automatic drift detection or whitelisting. The profile may be applied against the host or hosts that it was created from, or against other hosts. This allows you to have a "model host" that is used as a template for drift detection or whitelists against all similar hosts in your network.

What is drift detection?

Drift detection is a powerful feature of Sandfly that generates alerts if new recon results -- such as processes, users, kernel modules, SSH keys, systemd units, etc. -- appear on hosts relative to the expected results stored in the profile. For example, if you have a standard image for web servers that run a consistent set of processes and have a consistent set of users defined, drift detection can alert you if there is a new, unexpected program running or if a new user is added to the system that is not in the profile. Any recon sandflies can form the basis for drift detection, and you can choose the specific types of recon that are expected to stay the same on your hosts (for example, you could create a drift profile from the results of the user and kernel module recon sandflies, but not the process list recon sandfly if you don't expect the list of running executables to be stable and predictable).

What is automatic whitelisting?

Automatic whitelisting allows you to scan one or more hosts, create a drift profile, and prevent any alerts that are similar to alerts found in the profile from alerting on the same or other hosts. If you have a model or representative host that you know is not compromised, but is still alerting on some sandflies, creating a drift profile and using it to whitelist all similar hosts is a fast way to prevent false positives and only alert on results that were not seen on the model host.