Example of the File Integrity Monitoring (FIM) events generated by a Snare Enterprise Agent for Windows:
| Info | ||
|---|---|---|
| ||
This example shows the events in Snare format. The first four fields are the event header and may be formatted differently in other event formats (i.e. SYSLOG) |
Below is a table describing the contents of a FIM Event generated by Snare Agent.
...
SecurityLevel
...
The calculated digest (checksum) value from the previous scan. Empty string if no previous object exists.
...
Please refer to The Web User Interface (UI) → File Integrity Monitoring page in this User Guide for instructions on how to configure periodic FIM scans in the Snare AgentThere needs to be performed following three steps, before Snare can capture the FAM / RAM events.
1. Enable FAM / RAM Events in Windows Security Policy
Open the Windows Security Policy (from Contrrol Panel / Administrative Tools on local machine or via GPO on Domain Control) and enable the following settings:
If audit policy cannot be enabled in "Seucrity Options" then it needs to be enabled in "Advanced Audit Policy Configurations":
2. Enable Auditing on File / Folder / Registry
It is recommended to enable the following settings in "General Confguration" and then Snare can take care of enabling the auditing on File / Folder / Registry.
This setting can also be enabled manually by the user. In case, if user want to enable it manually then enable via following steps:
- Rick click the File / Folder => Properties
- Security tab => Advanced
- Auditing tab => Add
- Select auditing settings as per requirement
For registry:
- Right click => Permissions
- Advanced
- Auditing tab => Add
- Select auditing settings as per requirement
3. Create FAM / RAM Audit Policy
This can be done via creating FAM / RAM audit policy in Snare. See the details on "Audit Policy Configuration" page in documentation
| Warning |
|---|
Sequence of these three steps is not important. But Snare will not capture the FAM / RAM events untill all three steps are performed. |