Publisher: Sandfly Security, Ltd.
Connector Version: 1.4.0
Product Vendor: Sandfly Security
Product Name: Sandfly Security Agentless Linux Security
Product Version Supported (regex): ".*"
Minimum Product Version: 5.5.0
Sandfly Security app to gather information, initiate system scans and other actions on the Sandfly Server
You must have an active Sandfly Security account in order to trigger actions. The account must also have an active license with the Splunk Connector feature activated. The configuration below will require your Sandfly Security Server portal URL and a username and password that can trigger the actions or retrieve the information.
The app uses HTTP/ HTTPS protocol for communicating with the Sandfly Security server. Below are the default ports used by Splunk SOAR.
        Service Name | Transport Protocol | Port |
---|---|---|
        http | tcp | 80 |
        https | tcp | 443 |
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Sandfly Security Agentless Linux Security asset in SOAR.
VARIABLE | REQUIRED | TYPE | DESCRIPTION |
---|---|---|---|
Sandfly Server URL | required | string | Sandfly Server URL |
Username | required | string | Login Username |
Password | required | password | Login Password |
test connectivity - Validate the asset configuration for connectivity using supplied configuration
scan host - Run a Sandfly investigation
sandfly full investigation - Run a full Sandfly investigation
sandfly process investigation - Run a Sandfly process investigation
sandfly file investigation - Run a Sandfly file investigation
sandfly directory investigation - Run a Sandfly directory investigation
sandfly log tamper investigation - Run a Sandfly log tamper investigation
sandfly user investigation - Run a Sandfly user investigation
sandfly recon investigation - Run a Sandfly recon investigation
list endpoints - List all the endpoints/sensors configured on the device
get system info - Get information about an endpoint
list users - List the user accounts on a machine
list processes - List the running processes on a machine
Validate the asset configuration for connectivity using supplied configuration
Type: test
Read only: True
No parameters are required for this action
No Output
Run a Sandfly investigation
Type: investigate
Read only: False
Run a Sandfly investigation against the target host for the selected types.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_hostname | required | IP or name of the host | string | |
directory | optional | Sandfly Type - directory | boolean | |
file | optional | Sandfly Type - file | boolean | |
incident | optional | Sandfly Type - incident | boolean | |
log | optional | Sandfly Type - log | boolean | |
policy | optional | Sandfly Type - policy | boolean | |
process | optional | Sandfly Type - process | boolean | |
recon | optional | Sandfly Type - recon | boolean | |
user | optional | Sandfly Type - user | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.directory | boolean | ||
action_result.parameter.file | boolean | ||
action_result.parameter.incident | boolean | ||
action_result.parameter.ip_hostname | string | ||
action_result.parameter.log | boolean | ||
action_result.parameter.policy | boolean | ||
action_result.parameter.process | boolean | ||
action_result.parameter.recon | boolean | ||
action_result.parameter.user | boolean | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Run a full Sandfly investigation
Type: investigate
Read only: False
Run a full Sandfly investigation for all process, file, directory, log, user, incident, policy and recon types.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_hostname | required | IP or Hostname | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.ip_hostname | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Run a Sandfly process investigation
Type: investigate
Read only: False
Run a Sandfly investigation against the target system for the process type.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_hostname | required | IP or Hostname of the target system | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.ip_hostname | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Run a Sandfly file investigation
Type: investigate
Read only: False
Run a Sandfly investigation against the target system for the file type.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_hostname | required | IP or Hostname of the target system | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.ip_hostname | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Run a Sandfly directory investigation
Type: investigate
Read only: False
Run a Sandfly investigation against the target system for the directory type.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_hostname | required | IP or Hostname of the target system | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.ip_hostname | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Run a Sandfly log tamper investigation
Type: investigate
Read only: False
Run a Sandfly investigation against the target system for the log type.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_hostname | required | IP or Hostname of the target system | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.ip_hostname | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Run a Sandfly user investigation
Type: investigate
Read only: False
Run a Sandfly investigation against the target system for the user type.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_hostname | required | IP or Hostname of the target system | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.ip_hostname | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Run a Sandfly recon investigation
Type: investigate
Read only: False
Run a Sandfly investigation against the target system for the recon type.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_hostname | required | IP or Hostname of the target system | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.ip_hostname | string | ||
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
List all the endpoints/sensors configured on the device
Type: investigate
Read only: True
No parameters are required for this action
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
Get information about an endpoint
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_hostname | required | Hostname/IP address to get info of | string | host name ip |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.ip_hostname | string | host name ip |
|
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
List the user accounts on a machine
Type: investigate
Read only: True
List all user accounts on the specified system.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_hostname | required | Hostname/IP of the machine to list user accounts | string | ip host name |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.ip_hostname | string | ip host name |
|
action_result.status | string | success failed | |
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric |
List the running processes on a machine
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_hostname | optional | Hostname/IP of the machine to list processes on | string | ip host name |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.ip_hostname | string | ip host name |
|
action_result.status | string | success failed | |
action_result.message | string | ||
summary.total_objects | numeric | ||
summary.total_objects_successful | numeric | ||
action_result.data | string | ||
action_result.summary | string |