Snare Solutions¶
About¶
Snare is the go to centralized logging solution that pairs well with any SIEM or Security Analytics platform. Snare helps companies around the world improve their log collection, management and analysis with dependable tools that save time, save money & reduce risk.
Product Details¶
Vendor URL: Log Collection & Managements
Product Type: Log Management
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Snare Solutions - Confluence
Log Guide: Snare Solutions - Confluence
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 75%
Data Label: SNARE_SOLUTIONS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| access | security_result.description |
| access_mask | security_result.summary |
| accountname | target.user.userid |
| applicationname | principal.application |
| AuthenticationSetId | target.resource.id |
| AuthenticationSetName | target.resource.name |
| callercomputer | principal.hostname |
| clientaddress | target.ip |
| clientport | target.port |
| ConnectionSecurityRuleId | target.resource.id |
| ConnectionSecurityRuleName | target.resource.name |
| CryptographicSetId | target.resource.id |
| CryptographicSetName | target.resource.name |
| description | metadata.description |
| description | security_result.action |
| destinationaddress | target.ip |
| destinationport | target.port |
| domain | principal.administrative_domain |
| errorcode | additional.fields.SubStatus |
| error_code | security_result.description |
| filename | target.file.full_path |
| filterid | target.resource.id |
| filtername | target.resource.name |
| group | target.user.group_identifiers |
| groupdomain | target.administrative_domain |
| groupname | target.group.group_display_name |
| groupsid | target.group.windows_sid |
| keyfilepath | target.file.full_path |
| keyname | target.resource.name |
| keytype | target.resource.type |
| logon_id | principal.user.product_object_id |
| logonaccount | target.user.userid |
| membername | target.user.userid |
| membersid | target.user.windows_sid |
| newaccountname | target.user.userid |
| newsecuritydescriptor | target.file.full_path |
| object_name | target.file.full_path |
| object_name | target.process.file.full_path |
| object_name | target.registry.registry_key |
| object_name | target.resource.name |
| object_server | target.resource.name |
| object_type | target.resource.type |
| observer | observer.hostname |
| observer | observer.ip |
| observer_domain | observer.administrative_domain |
| oldaccountname | src.user.userid |
| originalsecuritydescriptor | src.file.full_path |
| packagename | additional.fields.package_name |
| permissions | target.user.attribute.permissions |
| principal | principal.hostname |
| principal | principal.ip |
| principal_domain | principal.administrative_domain |
| principal_group | principal.user.group_identifiers |
| principal_host | principal.hostname |
| principal_host | principal.ip |
| principal_port | principal.port |
| principal_user | principal.user.userid |
| process_id | principal.process.pid |
| process_name | principal.application |
| processid | principal.process.pid |
| processname | principal.process.file.full_path |
| processname | target.process.file.full_path |
| product | metadata.product_name |
| product_event | metadata.product_event_type |
| profile_used | additional.fields |
| profilechanged | target.group.group_display_name |
| public_rule | additional.fields |
| record | principal.user.group_identifiers |
| relativetargetname | target.file.full_path |
| resourceattributes | target.resource.id |
| rule_id | security_result.rule_id |
| rule_name | security_result.rule_name |
| ruleid | target.resource.id |
| rulename | target.resource.name |
| security_id | principal.user.windows_sid |
| securityid | target.group.windows_sid |
| securitypackagename | target.file.full_path |
| servicefilename | target.process.file.full_path |
| servicename | target.application |
| servicename | target.process.command_line |
| SettingType | target.resource.name |
| severity | security_result.severity |
| sharename | target.resource.name |
| sharepath | target.file.full_path |
| smb_host | additional.fields |
| smb_stage1 | additional.fields |
| smb_uid | additional.fields |
| sourceaddress | principal.ip |
| sourcenetworkaddress | principal.ip |
| sourceport | principal.port |
| sourceprocessid | src.process.pid |
| statically Defined | metadata.event_type |
| subjectaccountdomain | principal.administrative_domain |
| subjectaccountname | principal.user.userid |
| subjectaccountname | target.user.userid |
| subjectdomain | principal.administrative_domain |
| subjectname | principal.user.userid |
| subjectsid | principal.user.windows_sid |
| subjectsid | target.user.windows_sid |
| subjectusersid | principal.user.windows_sid |
| target | target.hostname |
| target | target.ip |
| target_domain | target.administrative_domain |
| target_host | target.hostname |
| target_host | target.ip |
| target_port | target.port |
| targetaccountdomain | target.administrative_domain |
| targetaccountname | target.user.userid |
| targetdomainname | target.administrative_domain |
| targetdomainname | target.hostname |
| targetname | target.user.userid |
| targetprocessid | target.process.pid |
| targetserver | target.hostname |
| targetsid | target.user.windows_sid |
| targetuserattribute | target.user.attribute.labels |
| taskname | target.resource.name |
| uacvalue0 | principal.resource.attribute.labels |
| uacvalue1 | target.resource.attribute.labels |
| userattribute | principal.user.attribute.labels |
| usersid | principal.user.windows_sid |
| vendor | metadata.vendor_name |
| version | metadata.product_version |
| workstationname | principal.hostname |
| workstationname | target.hostname |
Product Event Types¶
| EventID, summary | UDM Event Classification |
|---|---|
| 4622 | FILE_UNCATEGORIZED |
| 4624 | USER_LOGIN |
| 4625 | USER_LOGIN |
| 4627 | GENERIC_EVENT, GROUP_UNCATEGORIZED |
| 4634 | USER_LOGOUT |
| 4648 | USER_LOGIN |
| 4663 | FILE_OPEN, PROCESS_OPEN, REGISTRY_UNCATEGORIZED, USER_RESOURCE_ACCES |
| 4670 | FILE_MODIFICATION, REGISTRY_MODIFICATION, USER_RESOURCE_UPDATE_PERMISSIONS |
| 4672 | USER_LOGIN |
| 4690 | PROCESS_UNCATEGORIZED |
| 4697 | SERVICE_UNSPECIFIED |
| 4698 | SCHEDULED_TASK_CREATION |
| 4699 | SCHEDULED_TASK_DELETION |
| 4700 | SCHEDULED_TASK_ENABLE |
| 4701 | SCHEDULED_TASK_DISABLE |
| 4702 | SCHEDULED_TASK_MODIFICATION |
| 4715 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 4719 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 4720 | USER_CREATION |
| 4722 | USER_CHANGE_PERMISSIONS |
| 4723 | USER_CHANGE_PASSWORD |
| 4724 | USER_CHANGE_PASSWORD |
| 4725 | USER_CHANGE_PERMISSIONS |
| 4726 | USER_DELETION |
| 4728 | GROUP_MODIFICATION |
| 4729 | GROUP_MODIFICATION |
| 4732 | GROUP_MODIFICATION |
| 4733 | GROUP_MODIFICATION |
| 4734 | GROUP_DELETION |
| 4735 | GROUP_MODIFICATION |
| 4737 | GROUP_MODIFICATION |
| 4738 | USER_UNCATEGORIZED |
| 4740 | USER_UNCATEGORIZED |
| 4741 | USER_RESOURCE_CREATION |
| 4742 | USER_RESOURCE_UPDATE_CONTENT |
| 4750 | USER_RESOURCE_UPDATE_CONTENT |
| 4751 | USER_RESOURCE_UPDATE_CONTENT |
| 4752 | GROUP_MODIFICATION |
| 4755 | GROUP_MODIFICATION |
| 4756 | GROUP_MODIFICATION |
| 4757 | GROUP_MODIFICATION |
| 4768 | GENERIC_EVENT |
| 4769 | GENERIC_EVENT |
| 4770 | GENERIC_EVENT |
| 4771 | GENERIC_EVENT, USER_LOGIN |
| 4772 | GENERIC_EVENT |
| 4776 | USER_UNCATEGORIZED |
| 4777 | USER_UNCATEGORIZED |
| 4781 | USER_UNCATEGORIZED |
| 4798 | GROUP_UNCATEGORIZED |
| 4799 | GROUP_MODIFICATION |
| 4800 | USER_STATS |
| 4801 | USER_STATS |
| 4946 | SETTING_MODIFICATION |
| 4948 | SETTING_MODIFICATION |
| 4950 | SETTING_MODIFICATION |
| 4957 | SETTING_MODIFICATION |
| 4964 | GROUP_MODIFICATION |
| 5038 | FILE_UNCATEGORIZED |
| 5042 | SETTING_MODIFICATION |
| 5045 | SETTING_MODIFICATION |
| 5048 | SETTING_MODIFICATION |
| 5058 | FILE_UNCATEGORIZED |
| 5059 | USER_RESOURCE_ACCESS |
| 5061 | USER_RESOURCE_ACCESS |
| 5140 | USER_RESOURCE_ACCESS |
| 5142 | USER_RESOURCE_ACCESS |
| 5145 | USER_RESOURCE_ACCESS |
| 5152 | NETWORK_UNCATEGORIZED |
| 5156 | NETWORK_UNCATEGORIZED |
| 5447 | SETTING_MODIFICATION |
| all others | GENERIC_EVENT |
| FILE | FILE_UNCATEGORIZED |
| FILE_READ_DATA | FILE_READ |
| login | USER_LOGIN |
Log Sample¶
Mar 25 20:35:26 10.0.0.238 device_hostname.companyname.comMSWinEventLog1Security106695764Fri Mar 25 20:35:26 20224663Microsoft-Windows-Security-AuditingUS\device_hostname$N/ASuccess Auditdevice_hostname.companyname.comRemovable StorageAn attempt was made to access an object. Subject: Security ID: S-1-5-18 Account Name: device_hostname$ Account Domain: US Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: D:\file\location\info.bat Handle ID: 0x104 Resource Attributes: Process Information: Process ID: 0x2b38 Process Name: C:\Windows\SysWOW64\cmd.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1106692208 smb_host=smb_host smb_stage1=1234567890 smb_uid=123abc456def smb_timezone=EDT
Sample Parsing¶
metadata.event_timestamp = "2022-03-26T00:35:26Z"
metadata.event_type = "FILE_READ"
metadata.product_name = "MSWinEventLog"
metadata.product_version = "Security"
metadata.product_event_type = "4663"
metadata.description = "Microsoft-Windows-Security-Auditing US\device_hostname$ N/A Success Audit device_hostname.companyname.com Removable Storage An attempt was made to access an object"
additional.smb_uid = "123abc456def"
additional.smb_host = "smb_host"
additional.smb_stage1 = "1234567890"
principal.hostname = "device_hostname"
principal.asset_id = "987asdf52419ersd"
principal.user.userid = "device_hostname$"
principal.user.windows_sid = "S-1-5-18"
principal.user.product_object_id = "0x3E7"
principal.process.pid = "0x2b38"
principal.application = "C:\Windows\SysWOW64\cmd.exe"
principal.asset.hostname = "device_hostname"
principal.asset.asset_id = "987asdf52419ersd"
principal.domain.name = "US"
target.file.full_path = "D:\file\location\info.bat"
observer.hostname = "device_hostname"
observer.ip = "10.0.0.238"
observer.domain.name = "companyname.com"
security_result.summary = "FILE_READ_DATA"
security_result.description = "ReadData (or ListDirectory)"
security_result.action = "ALLOW"
Parser Alerting¶
This product currently does not have any Parser-based Alerting.
Rules¶
Coming Soon