Skip to content

Snare Solutions

Snare Solutions

About

Snare is the go to centralized logging solution that pairs well with any SIEM or Security Analytics platform. Snare helps companies around the world improve their log collection, management and analysis with dependable tools that save time, save money & reduce risk.

Product Details

Vendor URL: Log Collection & Managements

Product Type: Log Management

Product Tier: Tier III

Integration Method: Syslog

Integration URL: Snare Solutions - Confluence

Log Guide: Snare Solutions - Confluence

Parser Details

Log Format: Syslog

Expected Normalization Rate: 75%

Data Label: SNARE_SOLUTIONS

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
access security_result.description
access_mask security_result.summary
ALLOW,BLOCK,FAIL security_result.action
CRITICAL,HIGH,MEDIUM,LOW,INFORMATIONAL security_result.severity
description metadata.description
error_code security_result.description
logon_id principal.user.product_object_id
object_name target.file.full_path
observer observer.hostname
observer observer.ip
observer_domain observer.administrative_domain
principal principal.hostname
principal principal.ip
principal_domain principal.administrative_domain
principal_group principal.user.group_identifiers
principal_port principal.port
principal_user principal.user.userid
process_id principal.process.pid
process_name principal.application
product metadata.product_name
product_event metadata.product_event_type
profile_used additional.fields
public_rule additional.fields
rule_id security_result.rule_id
rule_name security_result.rule_name
security_id principal.user.windows_sid
smb_host additional.fields
smb_stage1 additional.fields
smb_uid additional.fields
statically Defined metadata.event_type
target target.hostname
target target.ip
target_domain target.administrative_domain
target_port target.port
vendor metadata.vendor_name
version metadata.product_version

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
FILE_READ_DATA FILE_READ
FILE FILE_UNCATEGORIZED
login USER_LOGIN
Default GENERIC_EVENT

Log Sample

Mar 25 20:35:26 10.0.0.238 device_hostname.companyname.comMSWinEventLog1Security106695764Fri Mar 25 20:35:26 20224663Microsoft-Windows-Security-AuditingUS\device_hostname$N/ASuccess Auditdevice_hostname.companyname.comRemovable StorageAn attempt was made to access an object.    Subject:   Security ID:  S-1-5-18   Account Name:  device_hostname$   Account Domain:  US   Logon ID:  0x3E7    Object:   Object Server:  Security   Object Type:  File   Object Name:  D:\file\location\info.bat   Handle ID:  0x104   Resource Attributes:     Process Information:   Process ID:  0x2b38   Process Name:  C:\Windows\SysWOW64\cmd.exe    Access Request Information:   Accesses:  ReadData (or ListDirectory)         Access Mask:  0x1106692208  smb_host=smb_host smb_stage1=1234567890 smb_uid=123abc456def smb_timezone=EDT

Sample Parsing

metadata.event_timestamp = "2022-03-26T00:35:26Z"
metadata.event_type = "FILE_READ"
metadata.product_name = "MSWinEventLog"
metadata.product_version = "Security"
metadata.product_event_type = "4663"
metadata.description = "Microsoft-Windows-Security-Auditing US\device_hostname$ N/A Success Audit device_hostname.companyname.com Removable Storage An attempt was made to access an object"
additional.smb_uid = "123abc456def"
additional.smb_host = "smb_host"
additional.smb_stage1 = "1234567890"
principal.hostname = "device_hostname"
principal.asset_id = "987asdf52419ersd"
principal.user.userid = "device_hostname$"
principal.user.windows_sid = "S-1-5-18"
principal.user.product_object_id = "0x3E7"
principal.process.pid = "0x2b38"
principal.application = "C:\Windows\SysWOW64\cmd.exe"
principal.asset.hostname = "device_hostname"
principal.asset.asset_id = "987asdf52419ersd"
principal.domain.name = "US"
target.file.full_path = "D:\file\location\info.bat"
observer.hostname = "device_hostname"
observer.ip = "10.0.0.238"
observer.domain.name = "companyname.com"
security_result.summary = "FILE_READ_DATA"
security_result.description = "ReadData (or ListDirectory)"
security_result.action = "ALLOW"

Parser Alerting

This product currently does not have any Parser-based Alerting.

Rules

Coming Soon