icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Cancel Visit New Splunkbase Visit
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

End User License Agreement for Third-Party Content

Splunk Websites Terms and Conditions of Use

Thank You

Downloading Sandfly Agentless Security for Linux
SHA256 checksum (sandfly-agentless-security-for-linux_453.tgz) 7b918224d5c084857d81a6254177e2a257dc9618f7f48779f8c7eb1509737e53 SHA256 checksum (sandfly-agentless-security-for-linux_452.tgz) 7401c71287c3295cdfc06b4382500872d37677c09363d761bdadbb67ce4c4512 SHA256 checksum (sandfly-agentless-security-for-linux_451.tgz) 53eb743c36dcff326a3a7f016c6ede73afcbd457f3dbcce247fdb45a1900aca0 SHA256 checksum (sandfly-agentless-security-for-linux_441.tgz) 58da2820f92fc4fd440bf04e8e159c90a3a9629fdf0fc083dd7662acb42bce4a SHA256 checksum (sandfly-agentless-security-for-linux_421.tgz) c6578ce233eb44571607d7a58bfaad0edb74bcc66b86f194797fed366acfb743 SHA256 checksum (sandfly-agentless-security-for-linux_414.tgz) 55602de735fc8323e3e03731871038b578145a7b252eee859de0ffa889f3e9eb SHA256 checksum (sandfly-agentless-security-for-linux_412.tgz) 0b04dc97e0fba1b39ebb88499dccc3c03cf435b54e937f41aa7c8792bfef54d8 SHA256 checksum (sandfly-agentless-security-for-linux_411.tgz) dc38e662179d89201aa93c7894cda3fe939f27e8813a6f78966fb073fe57b41a SHA256 checksum (sandfly-agentless-security-for-linux_405.tgz) 5e2b0f5f18e6f3176548a951f56af03cf02c920e1d591b1744d61d0dd68d4c41 SHA256 checksum (sandfly-agentless-security-for-linux_403.tgz) f6f6843e75db54e6f9b8e170a105e36f4f9ac48cc41fc591296c54d4934e5761 SHA256 checksum (sandfly-agentless-security-for-linux_204.tgz) 661faa671385211d5fce3d22e5a7aa1ccc6ef1217482719a65f842fff88778d0 SHA256 checksum (sandfly-agentless-security-for-linux_160.tgz) 7532325fe4d5324fda4b47f8672e9baad382fe7dbfe32f49dcd3e8789045e125
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate
splunk

Sandfly Agentless Security for Linux

Splunk Cloud
Overview
Details
Sandfly is an agentless intrusion detection and incident response platform for Linux. Sandfly automatically analyzes Linux hosts for intruders 24 hours a day without loading any software on your endpoints. Additionally, Sandfly can retrieve hardware, operating system and related data for analysis in Splunk. Sandfly works across virtually all Linux distributions immediately without risk to stability or performance.

The Sandfly Agentless Security for Linux App includes dashboards, reports and alerts for analyzing data ingested from a Sandfly server such as security alerts, suspicious activity, software and hardware metrics, SSH Hunter details, and Sandfly audit and error logs. Data retrieved by Sandfly can be used by Splunk users to build anomaly detection models, incident response and insights into software and hardware versions of your Linux fleet.

This app requires that the Sandfly Security Add-on for Splunk (TA-sandfly-security) already be installed and configured to ingest data into your specified index and configured with the correct sourcetypes.

The Sandfly Agentless Security for Linux App includes dashboards, reports and alerts for analyzing data ingested from a Sandfly server such as security alerts, suspicious activity, software and hardware metrics, SSH Hunter details, and Sandfly audit and error logs.

App Version 4.0.0 and later also support Sandfly Hosts and Assets and can create a CSV lookup file that is compatible with Enterprise Security Assets lookups.

This app requires that the Sandfly Security Add-on for Splunk (TA-sandfly-security) already be installed and configured to ingest data into your specified index and configured with the correct sourcetypes.

Note: If you are viewing this on Splunkbase Classic, navigate to the new Splunkbase to view the Installation Instructions and Troubleshooting guide.

Release Notes

Version 4.5.3
Aug. 23, 2024

Updated support for the following data sources:
- Sandfly SSH Hunter - added support for SSH Security Zones
- Hosts and Assets - use the new date_last_scan field in Host dashboards
- Sandflies - added support for Whitelist Rules

Added support for two new data sources:
- Sandfly Audit Logs - sandfly:logs:audit - security and system audit logs tracking user and system activity on the Sandfly Server
- Scanning Error Logs - sandfly:logs:error - error logs generated during a scan
- Whitelist Rules - sandfly:whitelist - Whitelist Rules to disable Sandflies for hosts and/or tags

New Dashboards and Alerts
- added SSH Security Zone details to existing Dashboards
- added new SSH Security Zone dashboards
- added details for Banned Keys in SSH Dashboards
- added an alert for Banned Keys
- added an alert to trigger on a Scanning Error Log
- example dashboards for Audit Logs and Scanning Error Logs
- added SourceType Review dashboard for troubleshooting
- added Whitelist Rules to display all rules
- added Whitelist Rule
Version 4.5.2
Aug. 19, 2024

Updated support for the following data sources:
- Sandfly SSH Hunter - added support for SSH Security Zones
- Hosts and Assets - use the new date_last_scan field in Host dashboards

Added support for two new data sources:
- Sandfly Audit Logs - sandfly:logs:audit - security and system audit logs tracking user and system activity on the Sandfly Server
- Scanning Error Logs - sandfly:logs:error - error logs generated during a scan

New Dashboards and Alerts
- added SSH Security Zone details to existing Dashboards
- added new SSH Security Zone dashboards
- added details for Banned Keys in SSH Dashboards
- added an alert for Banned Keys
- added an alert to trigger on a Scanning Error Log
- example dashboards for Audit Logs and Scanning Error Logs
- added SourceType Review dashboard for troubleshooting

Bug Fixes
- updates to a few reports
Version 4.5.1
Aug. 2, 2024

Updated support for the following data sources:
- Sandfly SSH Hunter - added support for SSH Security Zones

Added support for two new data sources:
- Sandfly Audit Logs - sandfly:logs:audit - security and system audit logs tracking user and system activity on the Sandfly Server
- Scanning Error Logs - sandfly:logs:error - error logs generated during a scan

New Dashboards and Alerts
- added SSH Security Zone details to existing Dashboards
- added new SSH Security Zone dashboards
- added details for Banned Keys in SSH Dashboards
- added an alert for Banned Keys
- added an alert to trigger on a Scanning Error Log
- example dashboards for Audit Logs and Scanning Error Logs

Bug Fixes
- updates to a few reports
Version 4.4.1
July 17, 2024

Added support for two new data sources:
- Sandfly Audit Logs - sandfly:logs:audit - security and system audit logs tracking user and system activity on the Sandfly Server
- Scanning Error Logs - sandfly:logs:error - error logs generated during a scan

New Dashboards and Alerts
- added an alert to trigger on a Scanning Error Log
- example dashboards for Audit Logs and Scanning Error Logs

Bug Fixes
- updates to a few reports
Version 4.2.1
Aug. 21, 2023

Updates to several dashboards and reports that used a field that was deprecated with Sandfly Server version 4.6.0 that was reflected in TA-sandfly-security version 4.2.1.
Version 4.1.4
Dec. 10, 2022

New Features:
- new Hosts and Hosts Details dashboards that correspond to refactored Host data ingested by the Sandfly Security Add-on for Splunk version 4.1.4
Version 4.1.2
Nov. 14, 2022

New Features
- added support for SSH Hunter Key, User and Host Investigation events
- added a Key Investigation dashboard, User Investigation dashboard and Host Investigation dashboard
- added dashboards for SSH Hunter Key Summary and Key Details information
- added dashboards for User and Host Summary information
- added Alerts for SSH Hunter Key Investigation data to alert on Keys First Seen Today and Keys First Seen This Week
- added an Alert to generate a Sandfly CSV lookup file
Version 4.1.1
Nov. 7, 2022

New Features
- added support for SSH Hunter Key Investigation events with a Key Investigation dashboard
- added dashboards for SSH Hunter Key Summary and Key Details information
- added Alerts for SSH Hunter Key Investigation data to alert on Keys First Seen Today and Keys First Seen This Week
Version 4.0.5
Oct. 23, 2022

Updated to support Sandfly Devices ingested with the Sandfly Security Add-on for Splunk.

There are two Alerts that can be enabled to create CSV lookup files with device information. The Assets CSV Lookup file is compatible with the Enterprise Security Assets Lookup. The Devices CSV Lookup is a more extensive lookup file that can be used to enhance reports with information about a devices Hardware and Operating System.

Added a SSH Keys Report dashboard and a few reports looking at the SSH authorized_keys file. Added a new Alert to trigger on hosts with an immutable authorized_keys file. Added Reports to view authorized_keys files created over last 24, 48, 72 hours.
Version 4.0.3
Sept. 22, 2022

Updated to support Sandfly Devices ingested with the Sandfly Security Add-on for Splunk.

There are two Alerts that can be enabled to create CSV lookup files. The Assets CSV Lookup file is compatible with the Enterprise Security Assets Lookup. The Devices CSV Lookup is a more extensive lookup file that can be used to enhance reports with information about a devices Hardware and Operating System.
Version 2.0.4
Nov. 6, 2021

Updated to support version 4 (v4) of the Sandfly Security REST API and changes to the event fields.

Please modify the "sandfly_search" macro to only search the Sandfly Alarms index on your specific deployment.
Version 1.6.0
Nov. 21, 2020

Fixed an issue installing on Splunk 8.1 where the initial app configuration is not working correctly. Now use the "Manage Apps" page and click the "Set up" link to modify the "sandfly_search" macro.
1,369
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
Sandfly Security
Support
Developer Supported
Contact Developer Questions on Splunk Answers Flag as inappropriate
Compatibility
This version of the app (1.6.0) is not available for Splunk Cloud. However, version 4.1.4 of this app is available for Splunk Cloud.
Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise
Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x, 3.x Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x, 3.x Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x, 3.x Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x, 3.x Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x, 3.x Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x, 3.x Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x, 3.x Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x, 3.x Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x, 3.x Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x, 3.x Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 Platform: Platform Independent CIM Versions: 5.x, 4.x Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0, 7.3 Platform: Platform Independent
Licensing
End User License Agreement for Third-Party Content
Category & Contents
Categories: Security, Fraud & Compliance, Endpoint
App Type: App
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2024 Splunk Inc. All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.