Intersect Alliance, part of the Prophecy International Holdings Group, is a team of leading information technology security specialists. In particular, Intersect Alliance are noted leaders in key aspects of IT Security, including host intrusion detection. Our solutions have and continue to be used in the most sensitive areas of Government and business sectors.
Intersect Alliance intend to continue releasing tools that enable users, administrators and clients worldwide to achieve a greater level of productivity and effectiveness in the area of IT Security, by simplifying, abstracting and/or solving complex security problems.
Intersect Alliance welcomes and values your support, comments, and contributions.
...
For more information on the Enterprise Agents, Snare
...
Central and other Snare products and licensing options, please contact
...
your local Prophecy Group as follows:
...
North America +1 (800) 834 1060
...
APAC +61 8
...
8213 1200
EMEA +44 (
...
800)
...
368 7423
Email
...
Registry Path | Setting Description |
[Config] | This subkey stores the general agent configuration data. |
Delimiter | REG_SZ Stores the field delimiting character, ONLY if syslog header has been selected. If more than one char, only first char will be used. If none set, then TAB will be used. This is a HIDDEN field, and only available to those users that wish to set a different delimiter when using the SYSLOG header. This selection option will not be found in the SNARE front end or the web pages. |
Clientname | REG_SZ If no value has been set, "hostname" command output will be displayed. Must be no more than 100 chars, otherwise will truncate. |
TracePath | REG_SZ The location where SNARE will store its trace files. |
OutputFilePath | REG_SZ The location where SNARE will store a local copy of audit events. |
FileExport | REG_DWORD Determines whether event records should be written to OutputFilePath. Set this value to 1 to enable file logging. Will default to FALSE (0) if not set. |
FileSize | REG_DWORD The size, in megabytes, of any files written to OutputFilePath. |
TraceSize | REG_DWORD The size of any trace files written by MS SQL Server |
TraceCount | REG_DWORD The number of trace files maintained by MS SQL Server |
LookupTimeout | REG_DWORD The frequency, in minutes, with which the SnareMSSQL agent will recheck the members of any groups specified in the User Search Filter |
Heartbeat | REG_DWORD The frequency, in minutes, with which the agent will send out a heartbeat message. A value of zero (0) will disable this feature. |
AgentLog | REG_DWORD A flag determining which Agent Logs should be recorded: Service (1), Trace (2) and Debug(4). |
UseUTC | REG_DWORD Timestamp logs using Coordinated Universal Time instead of local time if set to 1. |
Registry Path | Setting Description |
|---|---|
[Objective] | This subkey stores all the filtering objectives. |
Objective# (where # is an integer number) | Objectives are of type REG_BINARY and contain an encrypted copy of the individual settings comprising an objective. |
|
|
[Network] | This subkey stores the general network configurations. |
Destination | REG_SZ A comma separated list of destinations, which should be a maximum of 100 characters each. It details the IP address or hostname which the event records will be sent (NB: multiple hosts only available in supported agent). |
DestPort | REG_DWORD The Destination Port number. This value must be in 1-65535 range. Will default to 514 if a SYSLOG header has been specified. |
Syslog | REG_DWORD Determines whether a SYSLOG header will be added to the event record. Set this value to 0 for no SYSLOG header (default via agent console). Will default to TRUE (1) if not set. |
SyslogDest | REG_DWORD The SYSLOG Class and Criticality. This value will default to 13 if not set, or out of bounds. |
SocketType | REG_DWORD Determines the protocol used (0 for UDP, 1 for TCP) |
CacheSizeM | REG_DWORD The size, in megabytes, of the cache maintained by the SnareMSSQL agent if communication with the network destination is lost (TCP only). |
EncryptMsg | REG_DWORD Determines if outgoing messages should be encrypted. |
RateLimit | This value is of type REG_DWORD, and determines the upper limit for events per second (EPS) that the agent will send to server. This feature only appears in supported agents. |
NotifyMsgLimit | This value is of type REG_DWORD having value 0 or 1, and determines whether to send or not the EPS notification to server (1 means send and 0 means not to send) whenever agent reaches EPS RateLimit. This feature only appears in supported agents. |
NotifyMsgLimitFrequency | This value is of type REG_DWORD, and determines the frequency of events per second notification. The value is treated in minutes and only one EPS notification message is sent to server regardless of how many times agent reaches EPS limit during these minutes. This feature only appears in supported agents. |
|
|
[Remote] | This subkey stores all the remote control parameters. |
Allow | REG_DWORD Determines the availability of the remote control feature. If not set or out of bounds, will default to 0/NO (ie; not able to be remote controlled). |
WebPort | REG_DWORD The web server port, if it has been set to something other than port 6161. It is of type REG_DWORD. If not set or out of bounds, it will default to port 6161. |
WebPortChange | REG_DWORD Set to either 0 or 1 to signal whether the web port should be changed or not. 0 = no change. |
Restrict | REG_DWORD Determines whether the remote users should be restricted via IP address or not. 0 = no restrictions. |
RestrictIP | REG_SZ The comma separated list of IP address allowed to access the web interface. |
AccessKey | REG_DWORD Determines whether a password is required to access the remote control interface. It is set to either 0 or 1, with 0 signifying no password is required. |
AccessKeySet | REG_SZ Stores a hash of the password. |
...
Event ID | Event Name | Event Description | ||
Query Tracking [query] |
|
|
|
|
40 | SQL:StmtStarting | Occurs when the Transact-SQL statement has started. | ||
41 | SQL:StmtCompleted | Occurs when the Transact-SQL statement has completed. | ||
Login/Logout [loginout] |
|
|
|
|
14 | Audit Login | Occurs when a user successfully logs in to SQL Server. | ||
15 | Audit Logout | Occurs when a user logs out of SQL Server. | ||
20 | Audit Login Failed | Indicates that a login attempt to SQL Server from a client failed. | ||
Transaction Tracking [transaction] |
|
|
|
|
50 | SQL Transaction | Tracks Transact-SQL BEGIN, COMMIT, SAVE, and ROLLBACK TRANSACTION statements. | ||
181 | TM: Begin Tran starting | Occurs when a BEGIN TRANSACTION request starts. | ||
182 | TM: Begin Tran completed | Occurs when a BEGIN TRANSACTION request completes. | ||
183 | TM: Promote Tran starting | Occurs when a PROMOTE TRANSACTION request starts. | ||
184 | TM: Promote Tran completed | Occurs when a PROMOTE TRANSACTION request completes. | ||
185 | TM: Commit Tran starting | Occurs when a COMMIT TRANSACTION request starts. | ||
186 | TM: Commit Tran completed | Occurs when a COMMIT TRANSACTION request completes. | ||
187 | TM: Rollback Tran starting | Occurs when a ROLLBACK TRANSACTION request starts. | ||
188 | TM: Rollback Tran completed | Occurs when a ROLLBACK TRANSACTION request completes. | ||
191 | TM: Save Tran starting | Occurs when a SAVE TRANSACTION request starts. | ||
192 | TM: Save Tran completed | Occurs when a SAVE TRANSACTION request completes. | ||
Use of User Rights – Privileges [user-rights-use-priv] |
|
|
|
|
132 | Audit Server Principal Impersonation Event | Occurs when there is an impersonation within server scope, such as EXECUTE AS LOGIN. | ||
133 | Audit Database Principal Impersonation Event | Occurs when an impersonation occurs within the database scope, such as EXECUTE AS USER or SETUSER. | ||
170 | Audit Server Scope GDR Event | Indicates that a grant, deny, or revoke event for permissions in server scope occurred, such as creating a login. | ||
171 | Audit Server Object GDR Event | Indicates that a grant, deny, or revoke event for a schema object, such as a table or function, occurred. | ||
172 | Audit Database Object GDR Event | Indicates that a grant, deny, or revoke event for database objects, such as assemblies and schemas, occurred. | ||
112 | Audit App Role Change Password Event | Occurs when a password of an application role is changed. | ||
102 | Audit Statement GDR Event | Occurs every time a GRANT, DENY, REVOKE for a statement permission is issued by any user in SQL Server. | ||
103 | Audit Object GDR Event | Occurs every time a GRANT, DENY, REVOKE for an object permission is issued by any user in SQL Server. | ||
Use of User Rights Data Manipulation Language (DML) [user-rights-use-dml] |
|
|
|
|
114 | Audit Schema Object Access Event | Occurs when an object permission (e.g. INSERT or UPDATE) is used, successfully or unsuccessfully. | ||
Use of User Rights – Data Manipulation Language (DML) including SELECT |
|
|
|
|
114 | Audit Schema Object Access Event | Occurs when an object permission (SELECT) is used, successfully or unsuccessfully. | ||
Use of User Rights- Data Definition Language [user-rights-use-ddl] |
|
|
|
|
113 | Audit Statement Permission Event | Occurs when a statement permission (such as CREATE TABLE) is used. | ||
118 | Audit Object Derived Permission Event | Occurs when a CREATE, ALTER, and DROP object commands are issued. | ||
Account Admin [account-admin] |
|
|
|
|
104 | Audit AddLogin Event | Occurs when a SQL Server login is added or removed | ||
105 | Audit Login GDR Event | Occurs when a Windows login right is added or removed | ||
106 | Audit Login Change Property Event | Occurs when a property of a login, except passwords, is modified | ||
107 | Audit Login Change Password Event | Occurs when a SQL Server login password is changed. Passwords are not recorded. | ||
108 | Audit Add Login to Server Role Event | Occurs when a login is added or removed from a fixed server role | ||
109 | Audit Add DB User Event | Occurs when a login is added or removed as a database user (Windows or SQL Server) to a database | ||
110 | Audit Add Member to DB Role Event | Occurs when a login is added or removed as a database user (fixed or user-defined) to a database | ||
111 | Audit Add Role Event | Occurs when a login is added or removed as a database user to a database | ||
Object Access [object-access] |
|
|
|
|
128 | Audit Database Management Event | Occurs when a database is created, altered, or dropped. | ||
129 | Audit Database Object Management Event | Occurs when a CREATE, ALTER, or DROP statement executes on database objects, such as schemas. | ||
130 | Audit Database Principal Management Event | Occurs when principals, such as users, are created, altered, or dropped from a database. | ||
131 | Audit Schema Object Management Event | Occurs when server objects are created, altered, or dropped. | ||
134 | Audit Server Object Take Ownership Event | Occurs when the owner is changed for objects in server scope. | ||
135 | Audit Database Object Take Ownership Event | Occurs when a change of owner for objects within database scope occurs. | ||
152 | Audit Change Database Owner | Occurs when ALTER AUTHORIZATION is used to change the owner of a database and permissions are checked to do that. | ||
153 | Audit Schema Object Take Ownership Event | Occurs when ALTER AUTHORIZATION is used to assign an owner to an object and permissions are checked to do that. | ||
164 | Object:Altered | Occurs when a database object is altered. | ||
173 | Audit Server Operation Event | Occurs when Security Audit operations such as altering settings, resources, external access, or authorization are used. | ||
175 | Audit Server Alter Trace Event | Occurs when a statement checks for the ALTER TRACE permission. | ||
176 | Audit Server Object Management Event | Occurs when server objects are created, altered, or dropped. | ||
177 | Audit Server Principal Management Event | Occurs when server principals are created, altered, or dropped. | ||
178 | Audit Database Operation Event | Occurs when database operations occur, such as checkpoint or subscribe query notification. | ||
180 | Audit Database Object Access Event | Occurs when database objects, such as schemas, are accessed. |
...
SnareSales@prophecyinternational.com
Visit
...