Diffy: an interesting DFIR tool released from Netflix’s SIRT

The Netflix Security Intelligence and Response Team (SIRT) has released (under Apache 2.0 license) a triage tool to help digital forensics and incident response teams quickly identify compromised hosts on which to focus their response.

The tool, written in python 3 and named “Diffy”, is strictly focused on security incidents on cloud architectures.

It’s called “Diffy” because it helps a human investigator to identify the differences between instances and quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions.

The tool is currently focused on Linux instances running within Amazon Web Services (AWS), but owing to our plugin structure, could support multiple platforms and cloud providers.

How it works?

From release post on Netflix Tech Blog:

Diffy finds outliers among a group of very similar hosts (e.g. AWS Auto Scaling Groups) and highlights those for a human investigator, who can then examine those hosts more closely. More importantly, Diffy helps an investigator avoid wasting time in forensics against hosts that don’t need close examination.

How does Diffy do this? Diffy implements two methods to find outliers: a “functional baseline” method (implemented now), and a “clustering” method.

and more, about functional baseline and clustering:

Functional baseline
Osquery table output representing system state is collected from a single newly-deployed representative instance and stored for later comparison.
During an incident, osquery table output is collected from all instances in an application group.
Instances are compared to the baseline. Suspicious differences are highlighted for the investigator’s follow-up.

During an incident, osquery table output is collected from all instances in an application group.
No pre-incident baseline need be collected.
A clustering algorithm is used to identify dissimilar elements in system state (for example, an unexpected listening port, or a running process with an unusual name).


  • Efficiently highlights outliers in security-relevant instance behavior. For example, you can use Diffy to tell you which of your instances are listening on an unexpected port, are running an unusual process, include a strange crontab entry, or have inserted a surprising kernel module.
  • Uses one, or both, of two methods to highlight differences:
    • Collection of a “functional” baseline from a “clean” running instance, against which your instance group is compared, and
    • Collection of a “clustered” baseline, in which all instances are surveyed, and outliers are made obvious.
  • Uses a modular plugin-based architecture. We currently include plugins for collection using osquery via AWS Systems Manager (formerly known as Simple Systems Manager or SSM).


Via pip:

pip install diffy

More information and downloads


This site uses Akismet to reduce spam. Learn how your comment data is processed.