Sandfly Security

Sandfly Security Documentation

Welcome to the Sandfly Security documentation hub. Sandfly is an agentless compromise and intrusion detection system for Linux.

Sandfly automates security investigation and forensic evidence collection on Linux. Sandfly constantly searches for intruders 24 hours a day on your network without needing to load any agents on your endpoints.

Get Started

Sandfly Security Linux Forensics Keyword List

JSON Keywords for Linux Forensic Data

Sandfly Forensic Keyword List

This section lists out the forensic data Sandfly can return as part of its results. In the UI you will see this data in the forensics viewer. In the REST API it will be returned as a JSON object. This data is also passed over syslog to your destination of choice (e.g. SIEM or log aggregator).

Relevant keywords are returned for the detected attack type. For instance, you will only see process related keywords if a malicious process is the detected problem. File data only shows for file related detections, etc.

Sandfly Security Linux Forensics Keyword List


JSON Keywords for Linux Forensic Data

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.