Whitelisting a Sandfly
Should you have a rule exception due to unique aspects within your environment or get a false alarm for a sandfly, you can easily make a sandfly either no longer run against one or more hosts for future scans or no longer generate an alert by creating a whitelist.
Whitelists can be created at any time via the Add Rule button, which is found on the Whitelists Rules page. This advanced method uses Linux forensic attributes inside expr expressions to form rules which allow you to build custom whitelists from the ground up.
Alternatively, whitelists can be quickly created by leveraging the data from a result. This simple method can be initiated in one of two ways from the details page of any result.
Option 1 - Via Whitelist Button
Use this option if you need flexibility by being able to choose a Whitelist Mode, which offers multiple prepared rules based on the result data. To create a whitelist using this method, first click on the Whitelist button, then select the desired Whitelist Mode, and continue through the remaining steps of the form until completion.
Option 2 - Via Whitelist Forensic(s) Button
If targeting only one or more specific forensic attributes for a rule, generating a whitelist can be quickly initiated by finding and selecting the desired data point(s) within the Forensic tab and then clicking on the Whitelist Forensic(s) button to start the rule creation process.
Either option takes you to the Add New Whitelist form, which is populated with data from the originating result. From here you can review the data used to make the rule and optionally modify it further.
Once the form is all filled in, click on the Finish button, which is located on the final step of the form.
The new whitelist will be applied to future scan results, existing results will not be changed.
WARNING: Whitelists do not change existing results
Adding or modifying a whitelist will only apply to future scan results. Any existing results will not be affected. This can cause a former alert to now report as a "pass" result when using the whitelist pass mode.
Whitelist Tag
When a sandfly result is affected by a whitelist, it will be indicated with a Whitelisted tag, as shown here.
Updated 2 months ago