Sandfly Security

Sandfly Security Documentation

Welcome to the Sandfly Security documentation hub. Sandfly is an agentless compromise and intrusion detection system for Linux.

Sandfly automates security investigation and forensic evidence collection on Linux. Sandfly constantly searches for intruders 24 hours a day on your network without needing to load any agents on your endpoints.

Get Started

Installation Overview

Sandfly Installation Overview

Architecturally, Sandfly uses a core server for the database, user interface and REST API. Scanning of remote systems for Sandfly is done by separate scanning nodes. Optionally, the database can be accessed remotely by the server so the customer can host their own distributed and fault tolerant database cluster off the server.

The scanning nodes receive orders from the server about what systems to scan, and what problems to look for on the remote hosts with a random selection of sandflies. The nodes perform the required checks by pushing down their sandflies to do investigations and report results. Any suspicious activity found by a sandfly is reported back to the server for user alerting and further actions.

Sandfly High-Level ArchitectureSandfly High-Level Architecture

Sandfly High-Level Architecture

During install we will setup the core server and scanning nodes. The server is comprised of a web server, a REST API and an Elasticsearch database. The nodes have a Rabbit messaging protocol system to talk to the server and multi-threaded high performance scanning engines to manage sandfly deployment and results.

Optionally, during install you can specify a database URL and username/password authentication for Sandfly to use and you can forgo the database setup on the server entirely.

Updated about a year ago

Installation Overview

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.