Free Quick CPU 4.6.01/29/2024 While the new syntax is very powerful, it is not backwards compatible with the old format sandflies you may have created. We are now able to spot more kinds of attacks against Linux and modules have been upgraded to find wider threat variants. Sandfly Forensic Keywords Expanded Coverage for Linux Threatsĭuring the expression syntax upgrade we took the time to expand many Linux threat hunting modules internally. Sandfly forensic keyword names and types are defined here: The expression language syntax is covered in our online documentation: For example, below we are searching for any SSH key using older ssh-rsa values as part of a security policy sweep. Additionally, it includes full regex support and the ability to use logic operators for negation, conditional checks, and much more.įurther, you can search inside forensic array data such as SSH keys found by Sandfly, user details, file and process attributes, and other critical Linux forensic data. The new syntax allows combining of multiple data fields with conventional logic operators ( and, or, not), plus comparisons of integer and floating point fields (, =, !=). Under the new expression language syntax the form changes to. The expression language syntax allows customers to more rapidly create new modules using any of the Linux forensic parameters collected by Sandfly.įor instance, if you wanted to do a simple search for a process SHA512 hash in the past you would do the following. Today, we introduce a new expression language syntax based on the expr package in Go. Please see the section on upgrading custom sandflies for more details. This update has important changes for customers using existing custom sandflies. We have expanded our CPU support to cover IBM POWER8, 9 and 10 processors. New expression language syntax allows rapid and wider creation of custom threat hunting sandflies for customers.Īll built-in modules have been reviewed and depth of coverage for Linux threats broadened. This new upgrade greatly expands how our agentless threat hunting and incident response modules can be used to protect Linux. Sandfly 4.5.0 has received a massive capability upgrade with a new expression language syntax.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |