The Snare application has a number of built in Audit Policies with both basic auditing and advanced auditing options. These Audit Policies have been designed to 'trap' certain Security Log event IDs and enable the user to create some of the more common audit policies without having to know which event IDs they require. The details are given below with respect to basic audit policy and advanced audit policy.
...
The events will be generated by turning on selected audit categories, on the Windows audit sub-system.
Note: The high level event "Access a file or directory" is not in the agent GUI list. User should/can use the "Any event(s)" option in the GUI to capture the events listed in that category, if required.
Logon of Logoff.
528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, 541, 542, 543, 544, 545, 546, 547, 551, 552, 672, 673, 674, 675, 676, 677, 678, 680, 681, 682, 683
4624, 4625, 4626, 4627, 4628, 4629, 4630, 4631, 4632, 4633, 4634, 4647, 4648, 4768, 4769, 4770, 4771, 4772, 4773, 4774, 4776, 4777, 4778, 4779, 4800, 4801, 4802, 4803
...
Blue = high volume event only in default advanced audit policies
Advanced Default Audit Policies | Enabled Categories | Enabled Sub-categories | Captured Event id / Filtered Event ids | Event Type(s) | Log Source(s) | Criticality | Recommended Alert Level | Comments |
|---|---|---|---|---|---|---|---|---|
| AdvObjective1 | System Logon/Logoff Policy Change Account Management Object Access | System Integrity.Success, Other LogonLogoff Events.Success, Certification Services.Success, Audit Policy Change.Success, User Account Management.Success, User Account Management.Failure, Special Logon.Success | 104, 1102 , 4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124,
| Success Failure Error Information Warning Critical | Security | High | Snare = Critical Syslog = Critical CEF = 10 LEEF = 10 | Event Volume = Low |
| AdvObjective2 | System | IPSec Driver.Success IPSec Driver.Failure Other System Events.Success Other System Events.Failure System Integrity.Failure | 4960, 4961, 4962, 4963, 4965, 5480, 5483, 5484, 8485, 5027, 5028, 5029, 5030, 5035, 5037, 5038 | Success Failure Error Information Warning Critical | Security | Medium | Snare = Warning Syslog = Warning CEF = 8 LEEF = 8 | Event Volume = Low |
| AdvObjective3 | Policy Change | Authentication Policy Change.Success Authorization Policy Change.Success Audit Policy Change.Success Other Policy Change Events.Success | 4706, 4713, 4714, 4715, 4716, 4739, 4865, 4866, 4867, 4906, 4907, 4908, 4912, 6145 | Success Failure Error Information Warning Critical | Security | Medium | Snare = Warning Syslog = Warning CEF = 8 LEEF = 8 | Event Volume = Low |
| AdvObjective4 | Account Management | User Account Management.Success User Account Management.Failure Security Group Management.Success | 4724, 4727, 4731, 4735, 4737, 4754, 4755, 4764, 4780, 5376, 5377 | Success Failure Error Information Warning Critical | Security | Medium | Snare = Warning Syslog = Warning CEF = 8 LEEF = 8 | Event Volume = Low |
| AdvObjective5 | Logon/Logoff | Logon.Success IPSec Main Mode.Success IPSec Quick Mode.Success IPSec Extended Mode.Success Network Policy Server.Success | 4675, 4976, 4977, 4978, 4983, 4984, 5453, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280 | Success Failure Error Information Warning Critical | Security | Medium | Snare = Warning Syslog = Warning CEF = 8 LEEF = 8 | Event Volume = Low |
| AdvObjective6 | Object Access | Certification Services.Success | 4868, 4870, 4882, 4885, 4890, 4892, 4896, 5120, 5121, 5122, 5123 | Success Failure Error Information Warning ActivityTracing Critical Verbose | Security | Medium | Snare = Information Syslog = Info CEF = 3 LEEF = 3 | Event volume: Low to medium on servers that provide AD CS role services. |
| AdvObjective7 | Detail Tracking | Process Creation.Success Process Termination.Success DPAPI Activity.Success DPAPI Activity.Failure | 4688, 4689, 4692, 4693, 4696 | Success Failure Error Information Warning Critical | Security | Medium | Snare = Clear Syslog = Debug CEF = 0 LEEF = 1 | Event Volume = Low |
| AdvObjective8 | Account Logon | Credential Validation.Success Credential Validation.Failure Kerberos Authentication Service.Success Kerberos Authentication Service.Failure Kerberos Service Ticket Operations.Success Kerberos Service Ticket Operations.Failure | 4768, 4769, 4770, 4771, 4772, 4773, 4774, 4775, 4776, 4777 | Success Failure Error Information Warning Critical | Security | Low/information | Snare = Information Syslog = Info CEF = 3 LEEF = 3 | Event Volume = Low |
| AdvObjective9 | Account Management | User Account Management.Success User Account Management.Failure Computer Account Management.Success Computer Account Management.Failure Security Group Management.Success Security Group Management.Failure Distribution Group Management.Success Application Group Management.Success Other Account Management Events.Success Other Account Management Events.Failure | 4720, 4722, 4723, 4725, 4726, 4728, 4729, 4730, 4732, 4733, 4734, 4738, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4756, 4757, 4758, 4759, 4760, 4761, 4762, 4763, 4767, 4781, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4792, 4793, 4798, 4799 | Success Failure Error Information Warning Critical | Security | Low/information | Snare = Information Syslog = Info CEF = 3 LEEF = 3 | Event Volume = Low |
| AdvObjective10 | Logon/Logoff | Account Lockout.Success Account Lockout.Failure Logon.Success Logon.Failure Logoff.Success Other Logon/Logoff Events.Success Other Logon/Logoff Events.Failure Special Logon.Success Special Logon.Failure Group Membership.Success | 4624, 4625, 4627, 4634, 4647, 4648, 4672, 4675, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632 | Success Failure Error Information Warning Critical | Security | Low/information | Snare = Information Syslog = Info CEF = 3 LEEF = 3 | Event Volume : 4672:
|
| AdvObjective11 | Policy Change | Authentication Policy Change.Success Audit Policy Change.Success Audit Policy Change.Failure Filtering Platform Policy Change.Success Filtering Platform Policy Change.Failure Other Policy Change Events.Success Other Policy Change Events.Failure Authorization Policy Change.Success MPSSVC Rule-Level Policy Change.Success MPSSVC Rule-Level Policy Change.Failure | 4707, 4709, 4710, 4711, 4712, 4714, 4717, 4718, 4817, 4864, 4902, 4904, 4905, 5040, 5041, 5042, 5043, 5044, 5045, 5046, 5047, 5048, 5440, 5441, 5442, 5443, 5444, 5446, 5448, 5449, 5450, 5456, 5458, 5459, 5460, 5461, 5462, 5463, 5464, 5465, 5466, 5467, 5468, 5471, 5472, 5473, 5474, 5477 | Success Failure Error Information Warning Critical | Security | Low/information | Snare = Priority Syslog = Warning CEF = 5 LEEF = 5 | Event Volume = Low |
| AdvObjective12 | Policy Change | Authentication Policy Change.Success Audit Policy Change.Success Audit Policy Change.Failure Filtering Platform Policy Change.Success Filtering Platform Policy Change.Failure Other Policy Change Events.Success Other Policy Change Events.Failure Authorization Policy Change.Success MPSSVC Rule-Level Policy Change.Success MPSSVC Rule-Level Policy Change.Failure | 4670, 4703, 4704, 4705, 4819, 4826, 4909, 4910, 4911, 4913, 4944, 4945, 4946, 4947, 4948, 4949, 4950, 4951, 4952, 4953, 4954, 4956, 4957, 4958, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070, 5447, 6144 | Success Failure Error Information Warning Critical | Security | Low/information | Snare = Priority Syslog = Warning CEF = 5 LEEF = 5 | Event Volume = Low *5447 is high volume in different testing |
| AdvObjective13 | Privilege Use | Non-Sensitive Privilege Use.,Success Non-Sensitive Privilege Use.Failure | 4673, 4674 | Success Failure Information Warning Critical | Security | Low/information | Snare = Information Syslog = Info CEF = 3 LEEF = 3 | Event volume: Very High. Both sub-categories log the same events |
| AdvObjective14 | System | IPsec Driver.Success IPsec Driver.Failure Other System Events.Success Other System Events .Failure Security State Change.Success Security State Change.Failure Security System Extension.Success Security System Extension.Failure System Integrity.Success System Integrity.Failure | 4608, 4609, 4610, 4611, 4612, 4614, 4615, 4616, 4621, 4622, 4697, 4816, 5024, 5025, 5032, 5033, 5034, 5056, 5057, 5058, 5059, 5060, 5061, 5062, 5478, 5479, 6281, 6400, 6401, 6402, 6403, 6404, 6405, 6406, 6407, 6408, 6409, 6410 | Success Failure Error Information Warning Critical | System Application Active Directory Service Domain Name Server DFS-Replication Custom | Low/information | Snare = Information Syslog = Info CEF = 3 LEEF = 3 | Event Volume = Low |
| AdvObjective15 | Object Access | Other Object Access Events.Success Other Object Access Events.Failure Handle Manipulation.Success File Share.Success File Share.Failure Kernel Object.Success Kernel Object.Failure Registry.Success Registry.Failure | 4656, 4657, 4658, 4659, 4660, 4661, 4663, 4671, 4690, 4691, 4698, 4699, 4700, 4701, 4702, 5140, 5142, 5143, 5144, 5148, 5149, 5168, 5888, 5889, 5890
| Success Failure Error Information Warning ActivityTracing Critical Verbose | Security | Low/information | Snare = Warning Syslog = Warning CEF = 5 LEEF = 5 | Event Volume: Medium(4657) Others:
*4671 generate regardless of the settings |
AdvObjective16 | None | None | Any Events | Success Failure Error Information Warning Critical | System Application Active Directory Service Domain Name Server DFS-Replication Custom Windows Forwarded Events (WECAgent Only) | Snare = Information Syslog = Info CEF = 3 LEEF = 3 |
24Tu
Tuning notes:
- For some systems Objective 15 might create some additional noise with the object registry events 4663 and 4658 being very chatty. If these events pose a significant load and you need to reduce your EPS then you can disable these object event types, but this will come at the expense of some lost forensics of registry accesses.