...
...
...
OverviewOverview
The Snare advanced events search capability allows you to build structured queries using the Snare Query Language (SnareQL) to search for events. You can specify criteria that will allow you to narrow down
- If you don't have complex search criteria, you may want to use the simple search instead;
- If you are not comfortable with the Jira Query Language (JQL), you may want to use basic search instead.
Note, JQL is not a database query language, even though it uses SQL-like syntax.
Snare Central provides close to 150 pre-configured reports to meet common security and compliance needs of our customers.
On top of these, custom reports can be created.
...
| Search reports and containers by their name
Use Back to Search Results link in the Reports breadcrumbs area to return to your search results. |
| Sort all reports and containers by name in Ascending or Descending order |
| Add new container
Container can only be created at the root level of the Reports, and then can be dragged and dropped to another location. | Tip |
|---|
| A new container is a temporary item that only exists for the duration of the session of the current logged in user (ie: two hours by default), and will not be visible to other users of Snare Central. It will not become permanent, or visible to other users, until you add an objective to the container. |
|
| Add new report (objective)
By default, the new objective will be configured with very simple settings. You can then select the objective and proceed with changing the configuration, access controls, or schedule settings to your requirements. |
| Drag and drop containers and reports | Info |
|---|
Rearranging the location of an objective, or container, will change the location for all users of Snare - not just your account. |
|
| Clone, rename or delete a report (objective) by clicking the ellipsis (...) in the report line and selecting from the actions list. | Tip |
|---|
Snare Central does not enforce uniqueness of the objective name, you can potentially have two objectives with exactly the same name, that have different configurations, access controls, and scheduling. However, in order to limit confusion, it is advisable to give an objective unique and descriptive name.
|
When you choose the Delete option, a dialog will appear, notifying you that the objective will be removed for ALL USERS of Snare Central. You will be asked for confirmation before proceeding. Selecting the Delete button from the dialog, will remove the objective, and associated objective configuration settings. |
| Rename, recursively delete, or export the contents of a container, by clicking the ellipsis (...) in the container line and selecting from the actions list.
In a situation where you have chosen to remove a container, but you do not have permission to remove some or all of the underlying objectives, Snare Central will check each objective for authorisation, and only remove those that you are authorised to delete. In this case, the original container will remain after the process has completed. |
| Dynamic Search | Search for events using a search-engine style interface across multiple log sources, with 'Dynamic Search'. | Tip |
|---|
| Dynamic Search may be used to quickly sift through information across multiple log sources, at the expense of completeness. The following filters are available for this tool: - Find Events that contain: Enter a string or event id
- Within the following date range: Select from a date range or time period e.g. This Month
- Data Sources to Search: Potential data sources which may be sending log data to Snare Central e.g. WinSecurity, GenericSyslog
- Query Timeout (seconds): Defaults to 60 seconds, but may be increased if searching on a larger subset of data sources or time range.
Note that data that arrives at the Snare Server may take up to fifteen minutes to process and become available for this objective. |
|
...
