Splunk App for Sandfly Agentless Intrusion Detection for Linux Now Available

We are pleased to announce the release of the Sandfly Splunk app. This new app is available on Splunkbase. Sandfly users can now combine the powerful search and analysis features of Splunk, with Sandfly’s leading agentless security and visibility into Linux.

Not only can you get intrusion detection and security alerts sent to Splunk, but you can also use it to aggregate a host of other data to track assets, detect anomalies and build rich detailed reports of what is going on with your Linux fleet. Best of all, it’s using Sandfly’s completely agentless deployment so you don’t have to load any agents on your Linux endpoints.

In this video, Sandfly founder Craig Rowland goes over the new Splunk App and demonstrates investigating a compromised Linux web server running an active backdoor.

The new dashboard gives you access to the performance of Sandfly. Sandfly is constantly hunting for Linux threats and you can easily visualize this activity. Not only can you see normal activity, but you can filter for security alerts that need immediate attention and get to forensic data quickly.

A below example shows how many Sandfly checks have been executed against protected hosts. These numbers are all inclusive, but can be quickly filtered to only show security relevant events.

On top of pure security data, Sandfly is excellent at collecting operating system metrics. Because we are agentless, we can collect detailed operating system data without loading any agents. You can get instant visibility into your Linux hosts using Sandfly and Splunk.

Sandfly can easily get information such as:

Linux distribution versions.
Kernel versions.
Drive mounts.
Load values.
Hardware data such as serial numbers, CPU types and CPU bugs.
Much more.

Sandfly updates this data every time we check a host for threats so it is always current.

Splunk and Sandfly Report on Linux Kernel Versions

Sandfly can also pull over data that can be useful to know in terms of security awareness.

For instance, we can show brute force usernames being tried against your systems that normally would require logging agents on all your Linux hosts to obtain. We can also show data around most frequently attacked hosts, hosts that are launching the attacks, processes running with network activity and many other pieces of information that can help determine if a security threat may be present.

Splunk and Sandfly Showing Linux SSH Brute Force Attempts

Sandfly can also help watch for policy violations and risky security practices. For instance a lot of organizations disallow password logins over SSH, Sandfly can easily tell you which accounts have password hashes present that can be at risk.

Or perhaps you are interested in knowing which accounts have SSH login keys present? We can tell you that as well:

Users with valid SSH authorized_keys files for login.

Of course, when an attack is seen you can easily use Splunk to dive into every aspect of what is going on forensically. We have multiple dashboards and widgets to enable investigating suspicious activity on Linux. All of Sandfly’s forensic data is completely searchable inside Splunk using standard querying methods and can also be used for their Machine Learning features and much more.

Compromised Linux host investigation with Splunk and Sandfly.

Intrusion detection on Linux with Splunk.

Detailed Linux forensic investigation with Splunk and Sandfly's agentless intrusion detection. — Detailed Linux forensic investigation with Splunk and Sandfly’s agentless intrusion detection.

Sandfly’s Splunk app is available now free of charge for Sandfly users. You can find it at Splunkbase.