Sphinx

Highly Scalable Open Source Endpoint Monitoring



Real-time Auditing and Analysis of Endpoints

Works by collecting various types of event logs including process execution with cryptographic signature (MD5 hash), network activity, dll/driver loading, as well as miscellaneous system events.

Answers fundamental security questions like:

  • Can we get a list of every event that happened on machine X between date Y and date Z?
  • Can we graphically trace what happened on my computer in the last 10 minutes because I feel there's something weird going on?
  • Who has run a piece of malware whose existence cannot be detect by our existing Anti-Virus product on our network?
  • give me a list of program executions as well as dll loads whose reputation is questionable or bad.
  • are there any dlls injected into explorer.exe whose digital signature does not belong to Microsoft?

Powerful Analysis Interface

Build powerful analysis queries using graphical user interface. Example queries:

  • Process execution with malicious/unknown hashes
  • Process execution with network activities
  • Security events such as firewall rule updates, registry modifications, etc

Graphically walk process execution flow for further analysis.


Real-time Alerting

Use analysis queries for generating alerts.
Allows incident response teams to quickly engage with security events and kick off investigation


Scalability

Built-on Elasticsearch and Logstash; Provides horizontal scalability.

Plays nicely with existing Elasticsearch based log aggregation/monitoring system.