The Sandfly Agentless Security for Linux App includes dashboards, reports and alerts for analyzing data ingested from a Sandfly server such as security alerts, suspicious activity, software and hardware metrics, SSH Hunter details, and Sandfly audit and error logs.
App Version 4.0.0 and later also support Sandfly Hosts and Assets and can create a CSV lookup file that is compatible with Enterprise Security Assets lookups.
This app requires that the Sandfly Security Add-on for Splunk (TA-sandfly-security) already be installed and configured to ingest data into your specified index and configured with the correct sourcetypes.
Note: If you are viewing this on Splunkbase Classic, navigate to the new Splunkbase to view the Installation Instructions and Troubleshooting guide.
Updated support for the following data sources:
- Sandfly SSH Hunter - added support for SSH Security Zones
- Hosts and Assets - use the new date_last_scan field in Host dashboards
- Sandflies - added support for Whitelist Rules
Added support for two new data sources:
- Sandfly Audit Logs - sandfly:logs:audit - security and system audit logs tracking user and system activity on the Sandfly Server
- Scanning Error Logs - sandfly:logs:error - error logs generated during a scan
- Whitelist Rules - sandfly:whitelist - Whitelist Rules to disable Sandflies for hosts and/or tags
New Dashboards and Alerts
- added SSH Security Zone details to existing Dashboards
- added new SSH Security Zone dashboards
- added details for Banned Keys in SSH Dashboards
- added an alert for Banned Keys
- added an alert to trigger on a Scanning Error Log
- example dashboards for Audit Logs and Scanning Error Logs
- added SourceType Review dashboard for troubleshooting
- added Whitelist Rules to display all rules
- added Whitelist Rule
Updated support for the following data sources:
- Sandfly SSH Hunter - added support for SSH Security Zones
- Hosts and Assets - use the new date_last_scan field in Host dashboards
Added support for two new data sources:
- Sandfly Audit Logs - sandfly:logs:audit - security and system audit logs tracking user and system activity on the Sandfly Server
- Scanning Error Logs - sandfly:logs:error - error logs generated during a scan
New Dashboards and Alerts
- added SSH Security Zone details to existing Dashboards
- added new SSH Security Zone dashboards
- added details for Banned Keys in SSH Dashboards
- added an alert for Banned Keys
- added an alert to trigger on a Scanning Error Log
- example dashboards for Audit Logs and Scanning Error Logs
- added SourceType Review dashboard for troubleshooting
Bug Fixes
- updates to a few reports
Updated support for the following data sources:
- Sandfly SSH Hunter - added support for SSH Security Zones
Added support for two new data sources:
- Sandfly Audit Logs - sandfly:logs:audit - security and system audit logs tracking user and system activity on the Sandfly Server
- Scanning Error Logs - sandfly:logs:error - error logs generated during a scan
New Dashboards and Alerts
- added SSH Security Zone details to existing Dashboards
- added new SSH Security Zone dashboards
- added details for Banned Keys in SSH Dashboards
- added an alert for Banned Keys
- added an alert to trigger on a Scanning Error Log
- example dashboards for Audit Logs and Scanning Error Logs
Bug Fixes
- updates to a few reports
Added support for two new data sources:
- Sandfly Audit Logs - sandfly:logs:audit - security and system audit logs tracking user and system activity on the Sandfly Server
- Scanning Error Logs - sandfly:logs:error - error logs generated during a scan
New Dashboards and Alerts
- added an alert to trigger on a Scanning Error Log
- example dashboards for Audit Logs and Scanning Error Logs
Bug Fixes
- updates to a few reports
Updates to several dashboards and reports that used a field that was deprecated with Sandfly Server version 4.6.0 that was reflected in TA-sandfly-security version 4.2.1.
New Features:
- new Hosts and Hosts Details dashboards that correspond to refactored Host data ingested by the Sandfly Security Add-on for Splunk version 4.1.4
New Features
- added support for SSH Hunter Key, User and Host Investigation events
- added a Key Investigation dashboard, User Investigation dashboard and Host Investigation dashboard
- added dashboards for SSH Hunter Key Summary and Key Details information
- added dashboards for User and Host Summary information
- added Alerts for SSH Hunter Key Investigation data to alert on Keys First Seen Today and Keys First Seen This Week
- added an Alert to generate a Sandfly CSV lookup file
New Features
- added support for SSH Hunter Key Investigation events with a Key Investigation dashboard
- added dashboards for SSH Hunter Key Summary and Key Details information
- added Alerts for SSH Hunter Key Investigation data to alert on Keys First Seen Today and Keys First Seen This Week
Updated to support Sandfly Devices ingested with the Sandfly Security Add-on for Splunk.
There are two Alerts that can be enabled to create CSV lookup files with device information. The Assets CSV Lookup file is compatible with the Enterprise Security Assets Lookup. The Devices CSV Lookup is a more extensive lookup file that can be used to enhance reports with information about a devices Hardware and Operating System.
Added a SSH Keys Report dashboard and a few reports looking at the SSH authorized_keys file. Added a new Alert to trigger on hosts with an immutable authorized_keys file. Added Reports to view authorized_keys files created over last 24, 48, 72 hours.
Updated to support Sandfly Devices ingested with the Sandfly Security Add-on for Splunk.
There are two Alerts that can be enabled to create CSV lookup files. The Assets CSV Lookup file is compatible with the Enterprise Security Assets Lookup. The Devices CSV Lookup is a more extensive lookup file that can be used to enhance reports with information about a devices Hardware and Operating System.
Updated to support version 4 (v4) of the Sandfly Security REST API and changes to the event fields.
Please modify the "sandfly_search" macro to only search the Sandfly Alarms index on your specific deployment.
Fixed an issue installing on Splunk 8.1 where the initial app configuration is not working correctly. Now use the "Manage Apps" page and click the "Set up" link to modify the "sandfly_search" macro.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.