Sandfly Security

Sandfly Security Documentation

Welcome to the Sandfly Security documentation hub. Sandfly is an agentless compromise and intrusion detection system for Linux.

Sandfly automates security investigation and forensic evidence collection on Linux. Sandfly constantly searches for intruders 24 hours a day on your network without needing to load any agents on your endpoints.

Get Started

Sandfly Forensic Keyword List

Sandfly Forensic Keyword List

This section lists out the forensic data Sandfly can return as part of its results. In the UI you will see this data in the forensics viewer. In the REST API it will be returned as a JSON object.

Relevant keywords are returned for the detected attack type. For instance, you will only see process related keywords if a malicious process is associated with the detected problem.

Keyword Name
Description

at_job_queue

At job queue

at_job_num

At job number

at_job_date

At job date

at_file_data

At file data

uid

A UID number.

pid

A PID number

euid

Effective UID

btmp_type

Type of btmp entry (1-9 but type 6 is usually all you'll see)

btmp_pid

PID associated with this entry.

btmp_terminal_name

Terminal name with this entry.

btmp_terminal_id

inittab id for the terminal.

btmp_username

Username associated with this entry if any.

btmp_hostname

Hostname associated with this entry if any.

btmp_date

Date UTC time associated with this entry.

btmp_date_epoch

Time in seconds since Unix epoch.

btmp_ip_addr

ipv4 address for this entry if any.

btmp_ipv6_addr

ipv6 address for this entry if any.

cron_username

Username specified in cron file format (expanded format versions)

cron_path

cron path

cron_minute

Cron minute value

cron_hour

Cron hour value.

cron_day

Cron month value.

cron_month

Cron month value.

cron_day_of_week

Cron day of week value.

cron_command

Cron command value.

date

A date in ISO 8601 Zulu time format.

dev_list

A list of devices.

dir_path

Full path to dir

dir_path_root

Path root

dir_path_link

Directory it links to if it's a link.

dir_name

Directory name

dir_ext

Directory extension

dir_date_creation

Creation date

dir_date_accessed

Accessed date

dir_date_modified

Modified date

dir_size

Directory size in bytes

dir_inode

Directory inode

dir_mode

Directory mode in octal

dir_device

Directory device number

dir_nlink

Number of hard links to directory.

dir_gid

GID of directory owner.

dir_gid_name

Group name of directory owner.

dir_uid

UID of directory owner.

dir_uid_name

Readable name of the directory owner.

dir_is_link

Boolean value: is directory a link?

dir_list

A list of full paths to directories.

explanation

A human readable explanation of what we found if the sandfly wants to provide one.

error_msg

Error message from sandfly if one happens.

file_path

Full path to a file

file_path_root

Path root

file_path_link

File it links to if it's a link.

file_name

File name

file_ext

File extension

file_date_creation

Creation date

file_date_accessed

Accessed date

file_date_modified

Modified date

file_date_creation_link

Link Creation date

file_date_accessed_link

Link Accessed date

file_date_modified_link

Link Modified date

file_size

File size in bytes

file_inode

File inode

file_mode

File mode in octal

file_device

Device number

file_nlink

Number of hard links to file

file_gid

Group ID (GID) of file owner.

file_gid_name

Group name of owner

file_uid

User ID (UID) of file owner.

file_uid_name

Readable name of the owner

file_entropy

Shannon entropy of the file (0.0 not random -> 8.0 very random)

file_is_suid

Boolean: Is file SUID to the owner?

file_is_sgid

Boolean: Is file SGID to the group?

file_is_suid_root

Boolean: Is file SUID root?

file_is_sgid_root

Boolean: Is file SGID root?

file_is_link

Boolean: Is this a link?

file_is_binary

Boolean: Is the file a likely binary?

file_list

A list of full paths to files.

file_magic_num_type

Magic number file type we detected.

file_magic_num_class

Magic number class of file such as compression, image, executable, or package.

file_magic_num_expected_extensions

List of expected extensions for this file type.

file_magic_num_bytes

The first X bytes of the file we saw as a hex string.

file_magic_num_str

The first X bytes of the file we saw as a plain string.

file_data

Raw data from the file relevant to the forensics.

file_hash_md5

MD5 hash of file.

file_hash_sha1

SHA1 hash of file.

file_hash_sha256

SHA256 hash of file.

file_hash_sha512

SHA512 hash of file.

group_list

An array list of groups.

hash_matches

A string to the object (file, etc.) that matches in a hash comparison.

ip_addr

ip address

ipv6_addr

ipv6 address

ip_addrs

An array list of ip addresses

ipv6_addrs

An array list of collected ipv6 address

network_ports_tcp

An array list of tcp ports.

network_ports_udp

An array list of udp ports.

network_ports_tcp6

An array list of tcp6 ports.

network_ports_udp6

An array list of udp6 ports.

network_ports_raw

An array list of raw ports.

network_ports_raw6

An array list of raw6 ports.

lastlog_terminal_name

Terminal name with this entry.

lastlog_hostname

Hostname associated with this entry if any.

lastlog_date

Date UTC time associated with this entry.

lastlog_date_epoch

Time in seconds since Unix epoch.

lastlog_uid

UID of the user from lastlog

lastlog_username

Username of user decoded from lastlog.

local_ip_addr

Local interface address.

local_ipv6_addr

Local IPv6 interface address.

local_tcp_port

Local tcp listening port.

local_tcp6_port

Local tcp6 listening port.

local_udp_port

Local udp listening port.

local_udp6_port

Local udp6 listening port.

local_raw_port_protocol

Local raw listening port protocol type.

local_raw6_port_protocol

Local raw6 listening port protocol type.

module_name

Module name

module_memory_size

Module size in memory

module_instance_count

Instance count of this module.

module_state

State: Live, Loading, Unloading

module_memory_offset

Memory offset

module_hidden

Boolean: Is this module trying to hide?

module_dependencies

Dependencies for this module.

os_system

OS name string

os_distribution_full

Full distribution name if available.

os_distribution_short

Short distribution name if available.

os_distribution_name

Distribution name if available.

os_release

OS release string

os_machine

Hardware string

os_processor

CPU string

os_version

Version string

os_node

Network node name if available.

os_platform

Platform name if available

os_uname

OS uname list

os_python_version

Python version string

os_uuid

Machine UUID string

os_machine_id

Machine ID string

os_dmi_bios_date

DMI bios date

os_dmi_bios_vendor

DMI bios vendor name

os_dmi_bios_version

DMI bios version

os_dmi_chassis_asset

DMI chassis asset name

os_dmi_chassis_serial

DMI chassis serial number

os_dmi_chassis_type

DMI chassis type

os_dmi_chassis_vendor

DMI chassis vendor name

os_dmi_chassis_version

DMI chassis version

os_dmi_modalias

DMI modalias is a string of various DMI data

os_dmi_product_name

DMI product name

os_dmi_product_serial

DMI serial number

os_dmi_product_uuid

DMI product UUID

os_dmi_product_version

DMI product version

os_dmi_smbios_version

DMI smbios version

os_dmi_sys_vendor

DMI vendor information

os_mem_total

Total RAM

os_mem_free

Total RAM Free

os_mem_available

Total RAM available

os_mem_swap_total

Total swap space

os_mem_swap_free

Total swap free

os_cpu_info_processors_total

number of processors in the system

os_cpu_info_vendor_id

vendor id

os_cpu_info_cpu_family

cpu family

os_cpu_info_model

cpu model

os_cpu_info_model_name

cpu model name

os_cpu_info_stepping

CPU stepping

os_cpu_info_microcode

Microcode information

os_cpu_info_cpu_mhz

CPU speed in MHz float

os_cpu_info_cache_size

cache size

os_cpu_info_physical_id

physical id

os_cpu_info_siblings

siblings

os_cpu_info_core_id

core id

os_cpu_info_cpu_cores

number of cpu cores on processor

os_cpu_info_apicid

apicid

os_cpu_info_initial_apicid

initial apicid

os_cpu_info_fpu

Boolean: FPU present?

os_cpu_info_fpu_exception

Boolean: FPU exception present?

os_cpu_info_cpuid_level

cpuid level

os_cpu_info_wp

Boolean: wp set?

os_cpu_flags

Flags the CPU has set (long list).

os_cpu_bugs

Bugs present in the CPU such as meltdown, spectre, etc.

os_cpu_info_bogomips

Linux BOGOmips value

os_cpu_info_clflush_size

clflush

os_cpu_info_cache_alignment

cache alignment

os_cpu_info_address_sizes

Address sizes CPU supports

os_cpu_info_power_management

Power management information.

process_path

A path to a process

process_cwd

Current working directory for process

process_environ

Process environment if available

process_name

Name of a process

process_pid

Process PID

process_pid_parent

Process parent PID

process_pid_group

Process PID group

process_pid_list

Process PID listing

process_cmdline

Process command line

process_command

Command name the kernel thinks this is.

process_uid

Process owner UID

process_uid_name

Process owner name

process_gid

Process group id

process_gid_name

Process group name

process_date_creation

Process creation date

process_system_uptime

How long has the system been up?

process_minutes_running

How long has the process been running in minutes?

process_fds_open

File descriptors process has open.

process_network_ports_tcp

CP ports the process has open

process_network_ports_udp

UDP ports the process has open.

process_network_ports_tcp6

TCPv6 ports the process has open.

process_network_ports_udp6

UDPv6 ports the process has open.

process_network_ports_raw

Raw ports the process has open.

process_network_ports_raw6

Raw ipv6 ports the process has open.

process_hash_md5

The MD5 hash of the binary running.

process_hash_sha1

The SHA1 hash of the binary running.

process_hash_sha256

The SHA256 hash of the binary running.

process_hash_sha512

The SHA512 hash of the binary running.

remote_ip_addr

Remote IPv4 connected address.

remote_ipv6_addr

Remote IPv6 connected address.

remote_tcp_port

Remote tcp connected port

remote_tcp6_port

Remote tcp6 connected port

remote_udp_port

Remote udp connected port

remote_udp6_port

Remote udp6 connected port

wtmp_type

Type of wtmp entry (1-9)

wtmp_pid

PID associated with this entry.

wtmp_terminal_name

Terminal name with this entry.

wtmp_terminal_id

inittab id for the terminal.

wtmp_username

Username associated with this entry if any.

wtmp_hostname

Hostname associated with this entry if any.

wtmp_date

Date UTC time associated with this entry.

wtmp_date_epoch

Time in seconds since Unix epoch.

wtmp_ip_addr

ipv4 address for this entry if any.

wtmp_ipv6_addr

ipv6 address for this entry if any.

utmp_type

Type of utmp entry (1-9)

utmp_pid

PID associated with this entry.

utmp_terminal_name

Terminal name with this entry.

utmp_terminal_id

inittab id for the terminal.

utmp_username

Username associated with this entry if any.

utmp_hostname

Hostname associated with this entry if any.

utmp_date

Date UTC time associated with this entry.

utmp_date_epoch

Time in seconds since Unix epoch.

utmp_ip_addr

ipv4 address for this entry if any.

utmp_ipv6_addr

ipv6 address for this entry if any.

user_name

username of a user

user_group

group of a user

user_shell

shell of a user

user_uid

UID of a user

user_gid

GID of a user

user_gecos

Gecos field from /etc/passwd

user_home_dir

User's home dir

user_list

An array list of users

Sandfly Forensic Keyword List


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.