HomeDocumentationAPI Reference
Log In
Documentation
Start typing to search…
  1. User Interface

Scan

Scanning Hosts Manually

Although Sandfly is designed to work automatically to constantly scan for threats, you can also use it to do manual spot checks to make sure everything is OK. Also, you can use Sandfly for incident response by sending it to investigate groups of hosts for signs of compromise all at once.

Non-scheduled scanning is split into two options which can be selected from either the Scanning side bar or via the pull-down selector of the "Scan Now" button located on the Top Bar.

  • Manual Scan - Contains all sandflies except for the "incident" Sandfly Type. The Filter is preset to display sandflies that are Active, however, the filter can be changed or cleared as needed. This is the default scan method when using the Scan Now button directly.
  • Incident Scan - Contains only "incident" sandflies and limits the quantity of sandflies that can be selected at one time as some of these sandflies can significantly impact host performance and/or return a large number of alerts.

Both scan options will walk you through a two step form where you select the hosts and sandflies to use. Once the form is submitted Sandfly will immediately begin its scan and report back the results, which can be viewed under the Results section of the side bar. Manual scans will run immediately on all of the selected hosts, Trickle scanning is not available with this scan method.

Step 1 - Select Active Host(s)

Select one or more active hosts. Use the Filter to aid with the selection of large or diverse groups of hosts.

Selecting Hosts to Scan

Selecting Hosts to Scan

Step 2 - Select Sandflies

Next, choose at least one sandfly to run against the selected hosts. This can be a mix of individual sandflies, specific threat groups (i.e. directory, file, log, process, user), and/or custom sandflies.

Selecting Sandflies

Selecting Sandflies

Finish the Form

Change the priority if needed, otherwise click on the Finish button. The manual scan will be added into the task queue using the Immediate scan mode; from there the hosts are sent on to the appropriate nodes for processing.

Finish the Form

Finish the Form

Once the data is returned and processed, the results will begin showing up in the Results section or on the dashboard.

Updated 1 day ago