Why Drift Detection?

Drift detection monitors your systems for changes that indicate unauthorized activity or potential compromise. Sandfly can monitor any host, from legacy servers and embedded devices to cloud-based systems for drift.

Key Benefits:

• Find Unauthorized Changes: Identify modifications that deviate from a known-good "golden image" or baseline.
• Detect Compromise: Spot indicators of malware or threat actors, such as new processes, users, SSH keys, files, or scheduled tasks.
• Accelerate Incident Response: Use a baseline profile to quickly scan similar systems at scale and pinpoint deviations.

How it Works

The setup wizard guides you through creating a drift profile:

1. Select Model Hosts: Choose known-good systems (e.g., "golden images") to serve as the baseline.
2. Choose Use Case: Apply a template for your environment (e.g., server, embedded device).
3. Customize Checks: Refine the specific areas you want to monitor for drift such as new processes starting, new users added, binary changes, etc.
4. Build Profile: Schedule Sandfly to automatically learn the baseline from your model hosts over time.
5. Assign Protected Hosts: Apply the new profile to the systems you want to monitor after the drift profile is built.

After setup, the profile enters a "gather" state to learn the baseline. Once complete, it moves to "enforce" mode, automatically alerting on any new deviations detected during scheduled or manual scans.

Schedule Licensing

For licensing purposes, "System" schedules (Gather or Drift) that are created through the use of this wizard, or later by the editing of these profiles, do not apply to the usage count of Schedules.