Hash Match Fields
A list of fields that are included in the match hash values for the results from each Sandfly engine. The moderate match hashes always include all of the permissive match hash fields.
sandfly_agent
- Permissive:
- none
- Moderate:
- none
sandfly_engine_at_jobs
- Permissive:
- atjob.command
- Moderate:
- atjob.username
sandfly_engine_btmp
- Permissive:
- log.btmp.username
- Moderate:
- log.btmp.hostname
- log.btmp.ip_address
sandfly_engine_cloaked_direntry
- Permissive:
- file.name
- file.path
- file.magic_num.class
- Moderate:
- file.uid
- file.gid
- file.mode
- file.size
- file.size_byte_count
- file.hash.sha512
- file.flags.containerized
sandfly_engine_cron
- Permissive:
- cron.command
- Moderate:
- cron.path
- cron.username
sandfly_engine_dir
- Permissive:
- directory.name
- directory.path
- Moderate:
- directory.uid
- directory.gid
- directory.mode
- directory.date.created
- directory.date.modified
- directory.flags.containerized
sandfly_engine_error
- Permissive:
- none
- Moderate:
- none
sandfly_engine_file
- Permissive:
- file.name
- file.path
- file.magic_num.class
- Moderate:
- file.uid
- file.gid
- file.mode
- file.size
- file.size_byte_count
- file.hash.sha512
- file.flags.containerized
sandfly_engine_kmodules
- Permissive:
- kernel_module.name
- kernel_module.hidden
- kernel_module.missing_file
- kernel_modules.taints
- Moderate:
- kernel_module.module_file_path
- kernel_module.file.uid
- kernel_module.file.mode
- kernel_module.file.hash.sha512
sandfly_engine_lastlog
- Permissive:
- log.lastlog.username
- Moderate:
- log.lastlog.uid
- log.lastlog.hostname
sandfly_engine_log_tampering_lastlog_history_missing_record
- Permissive:
- user.username
- Moderate:
- user.groupname
- user.uid
- user.gid
- user.home_dir
- user.gecos
- user.group_membership
sandfly_engine_log_tampering_lastlog_wtmp_missing_record
- Permissive:
- log.lastlog.username
- Moderate:
- log.lastlog.uid
- log.lastlog.hostname
sandfly_engine_os_identify
- Permissive:
- none
- Moderate:
- none
sandfly_engine_process
- Permissive:
- process.name
- process.path
- Moderate:
- process.hash.sha512
- process.uid
- process.gid
sandfly_engine_process_masquerade_binary_mismatched
- Permissive:
- process.name
- process.path
- Moderate:
- process.hash.sha512
sandfly_engine_process_masquerade_binary_renamed
- Permissive:
- process.name
- process.path
- Moderate:
- process.hash.sha512
sandfly_engine_process_masquerade_mixed_case
- Permissive:
- process.name
- process.path
- Moderate:
- process.hash.sha512
sandfly_engine_systemd
- Permissive:
- systemd.context.scope
- systemd.context.uid
- systemd.type
- systemd.load_state
- systemd.active_state
- systemd.service_info.exec_summary
- systemd.socket_info.unit
- Moderate:
- systemd.service_info.exec_start.file.uid
- systemd.service_info.exec_start.file.mode
- systemd.service_info.exec_start.file.hash.sha512
- systemd.service_info.exec_start_pre.file.uid
- systemd.service_info.exec_start_pre.file.mode
- systemd.service_info.exec_start_pre.file.hash.sha512
- systemd.service_info.exec_start_post.file.uid
- systemd.service_info.exec_start_post.file.mode
- systemd.service_info.exec_start_post.file.hash.sha512
- systemd.service_info.exec_reload.file.uid
- systemd.service_info.exec_reload.file.mode
- systemd.service_info.exec_reload.file.hash.sha512
- systemd.service_info.exec_stop.file.uid
- systemd.service_info.exec_stop.file.mode
- systemd.service_info.exec_stop.file.hash.sha512
- systemd.service_info.exec_stop_post.file.uid
- systemd.service_info.exec_stop_post.file.mode
- systemd.service_info.exec_stop_post.file.hash.sha512
sandfly_engine_systemd_session
- Permissive:
- systemd_user.username
- systemd_user.linger
- Moderate:
- systemd_user.uid
- systemd_user.gid
- systemd_user.runtime_path
sandfly_engine_user
- Permissive:
- user.username
- Moderate:
- user.groupname
- user.uid
- user.gid
- user.home_dir
- user.gecos
- user.group_membership
sandfly_engine_user_password_auditor
- Permissive:
- user.username
- Moderate:
- user.groupname
- user.uid
- user.gid
- user.home_dir
- user.gecos
- user.group_membership
sandfly_engine_user_password_hash_duplicates
- Permissive:
- user.username
- Moderate:
- user.groupname
- user.uid
- user.gid
- user.home_dir
- user.gecos
- user.group_membership
sandfly_engine_utmp
- Permissive:
- log.utmp.username
- Moderate:
- log.utmp.hostname
- log.utmp.ip_address
sandfly_engine_wtmp
- Permissive:
- log.wtmp.username
- Moderate:
- log.wtmp.hostname
- log.wtmp.ip_address
Updated 3 months ago