Results Viewer

Dashboard Overview

The Results Viewer presents a wide array of information in a data table format. Through its toolbar features you can filter and display data in flexible ways to suite any role or situation. Presets are provided to quickly break results down by alerts, passed checks or non-fatal errors.

Export buttons are included to download either the resulting table data in a CSV format or the raw result data of selected entries in a JSON format.

Sandfly Alert Results

Sandfly Alert Results

Result By...

The web interface provides a few ways to view grouped results. The following options are provided under the Results section in the side bar:

  • Results by Host (default) - Alerts are grouped by hosts, this aids in seeing the most troublesome devices.
  • Results by Sandfly - Alerts are grouped by sandflies, see which are reoccurring the most.
  • All Results - The information is not grouped, though the data is initially filtered for Alert events.

Result Types

Sandfly will show three result event types from its scans:

Alert Events

Alert events are the primary focus for Sandfly as they will show forensic data from hosts that are compromised or behaving in unusual ways that need to be investigated.

Pass Events

Pass events are primarily for auditing purposes. They show that Sandfly investigated the host for that particular threat but found nothing. This can be useful for showing a timeline of events leading up to a compromise or establishing compliance with various security policies.

Error Events

Errors are non-fatal events that happened during a scan. For instance Sandfly might have tried to look for a particular log file but it was missing. These errors are not fatal and the scan simply reports what happened and carries on. If the error resolves the next time Sandfly looks you will not see it again. Otherwise, the error will be reported again on the next check.

Result Pruning

Sandfly automatically prunes old results after a number of days as determined by the Data Retention server setting. The configurable range is affected by the type of license. If you are sending events to an external replication database, then it is your responsibility for rotating and expiring events.