Header Data

Header Data and Example

The data header is attached to all result sets. It contains data of the sandfly execution on the remote host. This will have information such as the UID the sandfly used when running, how long it took to execute, and the general status of what happened.

The results key will contain the data (if any) of the completed sandfly check along with the data of anything that was found.

{
	"exec_seconds": 0,
	"start_time": "0001-01-01T00:00:00Z",
	"end_time": "0001-01-01T00:00:00Z",
	"name": "",
	"status": "",
	"status_msg": "",
	"severity": 0,
	"tags": null,
	"type": "",
	"engine": "",
	"key_data": ""
}

A full example is below.

{
  "exec_seconds": 0,
  "start_time": "2024-01-03T23:15:00Z",
  "end_time": "2024-01-03T23:15:00Z",
  "name": "log_tampering_missing_lastlog",
  "status": "alert",
  "status_msg": "ok",
  "severity": 3,
  "tags": [
    "attack.id.T1070.002",
    "attack.id.T1070.004",
    "attack.tactic.defense_evasion",
    "log"
  ],
  "type": "log",
  "engine": "sandfly_engine_file",
  "key_data": "/var/log/lastlog",
  "results": {
    "containerized": false,
    "file": {
      "date": {
        "created": "1970-01-01T00:00:00Z",
        "created_minutes": 0,
        "modified": "1970-01-01T00:00:00Z",
        "modified_minutes": 0,
        "accessed": "1970-01-01T00:00:00Z",
        "accessed_minutes": 0
      },
      "inode": 0,
      "device": 0,
      "rdevice": 0,
      "nlink": 0,
      "mode": "",
      "uid": 0,
      "username": "",
      "gid": 0,
      "groupname": "",
      "size": 0,
      "size_byte_count": 0,
      "size_byte_count_status": "",
      "size_mismatch": false,
      "blksize": 0,
      "blocks": 0,
      "path": "/var/log/lastlog",
      "path_root": "/var/log/",
      "path_link": "",
      "true_path": "",
      "name": "lastlog",
      "extension": "",
      "flags": {
        "directory": false,
        "regular": false,
        "link": false,
        "suid": false,
        "suid_root": false,
        "sgid": false,
        "sgid_root": false,
        "socket": false,
        "device": false,
        "char_device": false,
        "named_pipe": false,
        "sticky": false,
        "immutable": false,
        "hidden": false,
        "deleted": true,
        "containerized": false
      },
      "entropy": 0,
      "hash": {
        "md5": "",
        "sha1": "",
        "sha256": "",
        "sha512": ""
      },
      "magic_num": {
        "hex": "",
        "text": "",
        "type": "",
        "class": "",
        "expected_extensions": null
      },
      "container": {
        "id": "",
        "id_short": "",
        "rootdir": ""
      },
      "data": null
    },
    "explanation": "The system lastlog audit log at '/var/log/lastlog' does not exist on the file system. This audit log records successful logins to the host and is present on most Linux systems by default. If deleted it will disable login accounting. However, deleting this log is also common with sloppy log file cleaning from intruders wishing to conceal their activity on the host. You should investigate this system to find out why the file is missing and see if other logs have been deleted as well to hide logins.",
    "match_hashes": {
      "version": 1,
      "strict": "a44fe8cfe1e3311c1c39b732fbeb6e307eed6015fecddbeaa168a5c7b018abbd28bd8df990d94b99e428ebb842296037f80378bf4f7ab5d78ad30058bb574421",
      "moderate": "7400d3449a59568b1efa73dbbf6ec2c82723a1b198ac502cb8f333c57c6ec0d321fc3ded85f1507b8ee3efb34d226fc9dc57af1ab397968a171a2f1570afba0b",
      "permissive": "e50844ba13db91285a86543e00e02040aef4743c96a469b7c124ec5e4e42344f9a6cc63cfff0f59ad8c1d36b34778a5d541856ed3bb72995449ed41842f6be2f"
    }
  }
}