Whitelisting a Sandfly

Should you have a rule exception due to unique aspects within your environment or get a false alarm for a sandfly, you can easily make a sandfly either no longer run against one or more hosts for future scans or no longer generate an alert by creating a whitelist.

Whitelists can be created at any time via the Add Rule button, which is found on the Whitelists Rules page. This advanced method uses Linux forensic attributes to allow you to build your own custom whitelists from the ground up.

Alternatively, whitelists can be quickly created by leveraging the data from a result. This simple method can be initiated in one of two ways from the details page of any result.

Option 1 - Via Whitelist Button

Use this option if you need flexibility by being able to choose a Whitelist Mode, which offers multiple prepared rules based on the result data. To create a whitelist using this method, first click on the Whitelist button, then select the desired Whitelist Mode, and continue through the remaining steps of the form until completion.

Create Whitelist Tab in Result Detail

Whitelist Form in Result Detail

Option 2 - Via Whitelist Forensic(s) Button

If targeting only one or more specific forensic attributes for a rule, generating a whitelist can be quickly initiated by finding and selecting the desired data point(s) within the Forensic tab and then clicking on the Whitelist Forensic(s) button to start the rule creation process.

Whitelist via Sandfly Hunter

Whitelist via Sandfly Hunter

Either option takes you to the Add New Whitelist form, which is populated with data from the originating result. From here you can review the data used to make the rule and optionally modify it further.

Add New Whitelist - Scoped by Host

Add New Whitelist - Scoped by Host

Once the form is all filled in, click on the Finish button, which is located on the final step of the form.

The new whitelist will be applied to future scan results, existing results will not be changed.

⚠️

WARNING: Whitelists do not change existing results

Adding or modifying a whitelist will only apply to future scan results. Any existing results will not be affected. This can cause a former alert to now report as a "pass" result when using the whitelist pass mode.


Whitelist Tag

When a sandfly result is affected by a whitelist, it will be indicated with a Whitelisted tag, as shown here.

Whitelisted Result

Whitelisted Result