Scanning Hosts Manually

Although Sandfly is designed to work automatically to constantly scan for threats, you can also use it to do manual spot checks to make sure everything is OK. Also, you can use Sandfly for incident response by sending it to investigate groups of hosts for signs of compromise all at once.

To scan manually from the Create New Scan form, hosts along the Sandflies that you want to run against the hosts will need to be chosen. Once the form is submitted Sandfly will immediately begin to check all of the selected hosts and report back results, which can be viewed under the Results section. Trickle scanning is not available for manual scans.

Selecting Hosts to Scan

The new scan form will walk you through two steps. For step 1, select one or more active hosts.

Select Sandfly Modules to Use

After selecting which hosts to scan, you will need to pick which sandflies to run against them for step 2. Here select one or more sandflies or a specific sandfly threat group, such as file, directory, process, log, or user sandflies.

Finish

Change the default priority as needed, otherwise click on the Finish button. The manual scan will be added into the task queue using the Immediate scan mode; from there the hosts are sent on to the appropriate nodes for processing.

Once the data is returned and processed, the results will begin showing up in the Results section or on the dashboard.