...
Configure the Snare reflector with the following policies below, specifying the port for each log type as configured in Securonix:
Datasource | Format in Reflector | Filter |
|---|
regex (include) | Filter comments | Notes | ||
|---|---|---|---|---|
Apache Web Server | Syslog RFC 3164 | ApacheLog | Set “Log Type” in log file policy as “Apache”. | |
Microsoft ADFS | Raw | AD FS/Admin | ||
Microsoft Defender | Raw | Microsoft-Windows-Windows Defender/Operational | ||
Microsoft DHCP | Syslog RFC 3164 | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance name | Set “Log Type” in log file policy as “DHCP”. |
Microsoft DNS Server | Syslog RFC 3164 | MSDNSServer | Set “Log Type” in log file policy as “DNS”. | |
Microsoft Exchange Parser | Syslog RFC 3164 | ExchangeLog | “Custom” Log type specified in policy. Set as "ExchangeLog". | |
Microsoft IIS Server | Syslog RFC 3164 | IISWebLog | Set “Log Type” in log file policy as “IIS”. | |
Microsoft Windows Powershell | Syslog RFC 3164 | Microsoft-Windows-PowerShell/Operational | ||
Microsoft Windows Snare Application | Raw | MSWinEventLog | One desitnation and policy required for Security, Application and System | |
Microsoft Windows Snare Security | Raw | MSWinEventLog | See above | |
Microsoft Windows Snare System | Raw | MSWinEventLog | See above | |
Microsoft Windows Sysmon | Raw | Microsoft-Windows-Sysmon/Operational | ||
Microsoft Windows Sysmon | Syslog | Microsoft-Windows-Sysmon/Operational | ||
RADIUS_NPS | Syslog RFC 3164 | RadiusLog | “Custom” Log type specified in policy. Set as "RadiusLog". | |
Windows MSSQL Via Syslog SNARE | Raw | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance name | |
Windows MSSQL Via Syslog SNARE | Syslog RFC 3164 | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance name |
Note: Securonix has various parsers for log data generated and sent from Snare, details on this can be found at the below links.
...