Result Profiles

Introduction

Result profiles allow you to use the results of a scan from one or more hosts for automatic whitelisting or drift detection. The profile may be applied against the host or hosts that it was created from, or against other hosts. This allows you to have a "model host" that is used as a template for whitelists or drift detection against all similar hosts in your network.

What is drift detection?

Drift detection is a powerful feature of Sandfly that generates alerts if new recon results -- such as processes, users, kernel modules, SSH keys, systemd units, etc. -- appear on hosts relative to the result profile. For example, if you have a standard image for web servers that run a consistent set of processes and have a consistent set of users defined, drift detection can alert you if there is a new, unexpected program running or if a new user is added to the system that is not in the profile. Any recon sandflies can form the basis for drift detection, and you can choose the specific types of recon that are expected to stay the same on your hosts (for example, you could create a result profile from the results of the user and kernel module recon sandflies, but not the process list recon sandfly if you don't expect the list of running executables to be stable and predictable).

A screenshot of the details card of an alert result indicating that it is a drift detection alert.

Example Drift Detection Alert

What is automatic whitelisting?

Automatic whitelisting allows you to scan one or more hosts, create a result profile, and prevent any alerts that are similar to alerts found in the result profile from alerting on the same or other hosts. If you have a model or representative host that you know is not compromised, but is still alerting on some sandflies, creating a result profile and using it to whitelist all similar hosts is a fast way to prevent false positives and only alert on results that were not seen on the model host.

Result profiles

A result profile collects basic metadata about all results that it includes. For each result, it stores the sandfly name, the status (pass, error, or alert), and the permissive and moderate hash match values for the result. These hash match values are what power both the drift detection and whitelisting: they are cryptographic hashes of a set of key forensic attributes that the Sandfly investigation engines collect: for example, for processes, the permissive hash match includes the process name and the process executable path, while the moderate hash match additionally adds the sha512 hash of the process executable itself. This allows you to control how closely a similar process on another host must match to be whitelisted or alerted as drift. In the case of this process example, it allows you to choose whether the same executable with the same name is considered "the same" even if a different version (and thus a different sha512 hash of the content) is installed, or if you want to use the more strict moderate hash match and consider different executable content, even of the same name and path, to be considered different.

All result profiles always include both the pass and alert result information that is added to them, so you can use a result profile for both drift detection and automatic whitelisting.

Over time, you can add additional results to result profiles to fine-tune them. For example, you may initially create a result profile using the recon_process_list_all sandfly to gather expected running processes on a model host. However, there may be scheduled tasks that aren't always running, so those processes may create drift alerts on future scans. You can easily add those new alerts to the existing profile, then that process will no longer alert on all of the hosts covered by that result profile.

Creating result profiles

While you can create profiles from individual results, the most efficient and effective way to create profiles is to scan a model or template host, then create a profile from all of the results found on that host. When creating a result profile you intend to use for drift detection, it is important to make sure that only the results for sandflies that you wish to participate in drift detection are present on the host you create the result profile from.

To provide a clean baseline for creating a result profile, Sandfly recommends you first delete all results on the host(s) you are going to create the profile from.

Then, perform a manual scan using only the sandflies that you wish to use in the profile. If you intend to use the profile for whitelisting, running all enabled sandflies is usually the correct choice. If you intend to use the profile for drift detection, run only the recon sandflies that you wish to detect drift for. For example, if the set of processes, kernel modules, systemd units, and cron jobs should be the same across the set of hosts you will use the profile on, then you should start a manual scan where you select only those relevant sandflies (recon kernel family of sandflies, recon process list all, recon process persistence family of sandflies, and recon systemd family of sandflies) and exclude recon sandflies that would gather results you expect to be different between hosts (such as recon_user_list_all if you expect different user accounts to exist across the hosts).

When the scan completes, the model host (or hosts if you are building a profile from multiple hosts) has the results from which you will create the profile.

Go to Results -> Results By Host, check the selection box next to the host (or hosts) you collected results for, and in the toolbar at the top of the hosts table, click Create Profile.

Screenshot showing the Result by Host list with the Create Profile button highlighted.

Give the profile a name and description to help you identify its purpose. You may optionally enter user notes with additional details. Any time you add more results to the profile in the future, you can add additional user notes to keep a log of why you modified the profile.

Screenshot of the first page of the Create Result Profile dialog.

On the next page, you can choose to start using the profile right away by associating it with some hosts. If you don't want to associate the profile with any hosts now, choose Skip for now and click Finish. If you do want to start using the profile immediately, select whether you want to use it for whitelisting, drift detection, or both functions. Then enter the list of host tags you want to apply the profile to. (If you want to apply the profile only to specific individual hosts, choose Skip for now to create the profile and you can apply the profile to individual hosts by editing it from the Result Profiles UI page). Finally, select Permissive or Moderate Hash Match to create either a less strict or more strict application of the profile to the selected host tags. Click Finish.

Screenshot of the second page of the Create Result Profile dialog.

Result Profiles take effect when scans occur and the server receives new results, so beginning with the next scan of the covered host tags, new results will be whitelisted or changed into drift alerts as appropriate based on the profile. Creating a result profile does not affect any existing results on hosts.

Viewing result profiles

After creating result profiles, you can view them by clicking on the Result Profiles sidebar menu option. The list of result profiles will give you overview details of the profiles, including how many hosts are covered by this profile for drift and whitelist purposes, as well as the number of sandflies that have results that contribute to the profile.

Screenshot of the result profiles list.

There are also status icons for you to quickly identify which profiles are in use for drift detection and whitelisting.

Explanation of two icons: a circle with a checkmark indicating automatic whitelisting, and two blue boxes offset from each other indicating drift detection.

Result Profile Status Icons

By opening a result profile, you will see its detail page. The left column of the details includes basic details about the profile and information about which tags the profile applies to, whether it is used for drift detection, whitelisting, or both for the tag, and whether the permissive or moderate match is used.

The right side of the profile details page shows the edit history of the profile under the history tab. This includes the user notes that are entered each time the result profile is modified, and includes the number of new results the modification contributed and the host(s) that contributed the results.

Screenshot of the result profile detail page with the history tab selected.

The host coverage tab lists every host that is covered by this result profile, and the mode and match hash used for that host.

Screenshot of the result profile detail page with the host coverage tab selected.

The profile sandflies tab lists every sandfly that has at least one result in this profile, and indicates if that sandfly is able to be whitelisted or used for drift detection when applying this profile to a host.

Screenshot of the result profile detail page with the profile sandflies tab selected.

Editing result profile host coverage

To add hosts and host tags that the result profile will cover, or to edit existing host or host tag associations, click on the Edit button while viewing the result profile details. This will bring up an edit form that allows you to change the name and description as well as the host associations.

Screenshot of the dialog for editing an existing result profile.

Host associations apply the result profile to a host tag or individual host with a specific mode (drift, whitelist, or both) and match hash type (permissive or moderate). A result profile may be applied to different hosts using different modes and hash types. To apply to all hosts with a specific tag, enter the information in the Tag Associations section of the form. To apply to a specific host without using tags, add the information in the Host Associations section of the form. Remove an existing host or tag association from the profile by clicking the trash bin icon on the right side of each association. To save the updated associations, click the Finish button.

To delete a result profile entirely, click the Delete button the result profile detail page, or click the selection checkbox on one or more profiles in the results profile list and click the Delete button at the top of the table. After deleting a result profile that applies to hosts, future results for those hosts will be processed without being influenced by the result profile: alert results will no longer be whitelisted if they matched a result in the profile, and new recon results that did not match the profile will no longer be marked as drift alerts. As with creating a profile, deleting a profile (or removing a host association from the profile) does not affect existing results, but only new results from new scans.

Adding new results to profiles

After creating a result profile, you may find that some acceptable alerts are still not being whitelisted, or some acceptable results are being flagged as drift alerts since they weren't present on the initial host(s) from which you created the profile. Sandfly allows you to easily add those additional results to the profile.

If you are satisfied that all current results on the host are appropriate to add to the result profile, go to Results -> Results By Host, check the selection box next to the host(s) with results you would like to add to the profile, and click the "Add to Profile" button at the top of the table.

Screenshot of the results by host list with the Add To Profile button highlighted.

In the form that appears, select the profile you wish to add the results to from the drop-down box, and enter any user notes that you would like recorded in the profile's history to explain the addition of new results from the host(s). Then click Finish.

If you only want to add specific results to the profile (for example, for a profile you are using for drift detection, it may be important not to add new recon results from sandflies that you do not want to report drift on), you can drill down to the Results By Host -> Host level, check the selection boxes next to specific sandfly names, and click Add to Profile to add all of the results from the selected sandflies to the profile. For the most fine-grained control of which results you add to the profile, you can also use the Add to Profile button on the All Results list or after you've drilled down to the Results By Host -> Host -> Sandfly level, which lists the individual results for that sandfly on that host.

When adding results to a profile, you are not limited to choosing from the hosts that you initially created the profile from. Any results from any host can be added to any profile, so you can use your deployed hosts from a common template to contribute results to a profile initially created from a model host or the original template system.

Checking which result profiles affect a host

When viewing host details, you can click on the Profiles tab to see which result profiles are configured to affect the host. You will see the profile name, the application mode (drift, whitelist, or both), and the description of the result profile. From the profile list, you can click on a profile to get to its details, allowing you to edit the associations.

Screenshot of the host detail page with the profiles tab selected.

Updated 3 months ago