Viewing Sandflies

Viewing Sandflies

You can view all the sandflies present in the system by clicking on the View option. This will give a listing of all available sandflies along with a short description about what it does.

Sandfly Threat Hunting Modules ListingSandfly Threat Hunting Modules Listing

Sandfly Threat Hunting Modules Listing

At the upper bar you'll see how many sandflies are loaded into the system. You'll also see tabs that break out the sandflies by their type. You can use these tabs to just see each type of sandfly.

Here are what the columns are:

Active - If you want to disable a particular sandfly you can click on this box and uncheck it. When you do this then that sandfly will not be run in any scans whether it is manual or automated with the scheduler. See the section on Activating and Deactivating Sandflies for more information.

Type - What kind of sandfly it is (file, directory, etc.).

Name - Name of the Sandfly.

Description - A short description of what the sandfly does.

Custom - Is this a custom sandfly?

Tags - Sandfly type or Mitre ATT&CK tags to help categorize the threat type.

Response - The response action enabled, not enabled or not available for the sandfly.

🚧

Sandfly Timeout Protection

Sandfly has an internal timeout mechanism that will safely stop a sandfly that is taking too long to run. If this happens you will see the error under Results->Errors as a timeout condition.

Many sandflies run in under a second, but some of the Incident Response sandflies can take longer to run and could be up to several minutes depending on what they are doing. Incident Response sandflies must be manually selected to run and are never run as part of an automated scan to prevent system impacts.


Did this page help you?