Example of the Telemetry events generated by a Snare Enterprise Agent for Windows:
| Info | ||
|---|---|---|
| ||
This example shows the events in Snare format. The first four fields are the event header and may be formatted differently in other event formats (i.e. SYSLOG) |
...
. |
Example with checksums:
1. Formats
The following formats are possible formats for telemetry events:
SNARE
<Hostname> TelemetryLog <SeverityLevel> <TimeCreated(YYYY-MM-DD HH:MM)> <MetricType> <InstanceName> <EventName> <Value>SNARE V2
<Hostname> TelemetryLog <SeverityLevel> {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>"},"System":{"TimeCreated":{"SystemTime":"<SystemTime(YYYY-MM-DDTHH:MM.ssssssZ)>","LocalTime":"<LocalTime(YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)>"}}}} SYSLOG (RFC3164)
<<SyslogPriority>><TimeCreated(MMM DD HH:MM:SS)> <Hostname> TelemetryLog <SeverityLevel> <TimeCreated(YYYY-MM-DD HH:MM)> <MetricType> <InstanceName> <EventName> <Value>SYSLOG Alt (RFC5424 Compatible)
<<SyslogPriority>><TimeCreated(MMM DD HH:MM:SS)> <Hostname> TelemetryLog[<SeverityLevel>]:<TimeCreated(YYYY-MM-DD HH:MM)> <MetricType> <InstanceName> <EventName> <Value>SYSLOG (RFC5424)
<<SyslogPriority>><SyslogVersion> <TimeCreated(YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - TelemetryLog - <SeverityLevel> <TimeCreated(YYYY-MM-DD HH:MM)> <MetricType> <InstanceName> <EventName> <Value>CEF
<TimeCreated(MMM DD HH:MM:SS)> <Hostname> CEF:<CEFVersion>|<CompanyName>|<ProductName>|<ProductVersion>|TelemetryLog|<EventName>|<CEFSeverity>|value=<Value> dvchost=<Hostname> msg=<YYYY-MM-DD>|<hh:mm:ss>|<MetricType>|<InstanceName>|<EventName>|<Value>LEEF
<TimeCreated(MMM DD HH:MM:SS)> <Hostname> LEEF:<LEEFVersion>|<CompanyName>|<ProductName>|<ProductVersion>|TelemetryLog|URL=TelemetryLog sev=<LEEFSeverity> resource=<Hostname> value=<Value> msg=<TimeCreated(YYYY-MM-DD HH:MM)> <MetricType> <InstanceName> <EventName> <Value>SYSLOG JSON
<<SyslogPriority>><SyslogVersion> <TimeCreated(YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - TelemetryLog - <SeverityLevel> {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>"}}}2. Telemetry Event Fields
Below is a table describing the contents of a FIM Telemetry Event generated by Snare Agent.
| Field | Type | Description |
|---|---|---|
| Hostname | String | The host name of the originating computer. |
| EventType | String | FIMLog TelemetryLog - the type of event generated. |
SecurityLevelSeverityLevel | Integer | The severity level (Criticality) of the generated event. |
| EventTimeTimeCreated | Datetime | The time at which the modification telemetry event was detected. (YYYY-MM-DDThh:mm:ss) |
| DigestType | String | SHA512 - the hashing algorithm used. |
| EventAction | String | One of CHANGE, DELETE, RENAME or NEW. |
| ObjectType | String | FILE |
| ObjectName | String | The full path name of the object that has been added, removed, changed or renamed. |
| ObjectSize | Integer | The size of the object in bytes after the modification. |
| ObjectOwner | String | The owner of the object that the change was detected on. |
| ObjectMTime | Datetime | The modification time (mtime) of the object when the change is detected. (YYYY-MM-DDThh:mm:ss) |
| ObjectDigest | String | The calculated digest (checksum) value. |
| ObjectAttributes | Integer | The attributes of the object as a bit-wise integer value. |
| PrevObjectName | String | The name of the object that had been added, removed, changed or renamed from the previous scan or empty if no previous object exists. |
| PrevObjectSize | Integer | The size of the object in bytes from the previous scan. 0 if no previous object exists. |
| PrevObjectOwner | String | The owner of the object from the previous scan. Empty string if no previous object exists. |
| PrevObjectMTime | Datetime | The modification time (mtime) of the object from the previous scan or empty if no previous object exists. (YYYY-MM-DDThh:mm:ss) |
| PrevObjectDigest | String | The calculated digest (checksum) value from the previous scan. Empty string if no previous object exists. |
| PrevObjectAttributes | Integer | The attributes of the object from the previous scan as bit-wise integer value. 0 if no previous object existscreated. The format of the time depends on the log format that is selected. |
| MetricType | String | This is the hardware component source of the event; Events from the CPU, Disk, Memory or Network can be collected and are labelled as CPU, DSK, MEM or NET respectively. |
InstanceName | String | The name of the hardware interface the event is sourced. For example, if events from the Disk (DSK) are collected, there may be multiple storage interfaces present such as HarddiskVolume1, HarddiskVolume2, etc. |
| EventName | String | The name of the metric of the hardware interface. Given a hardware interface named by it's InstanceName, the EventName denotes the metric of the interface that is collected. Eg, EventName: ' % Free Space' from InstanceName:'HarddiskVolume1' |
| Value | Float | The value of the metric. |
| EventChecksum (Optional) | String | The calculated SHA3-512 hash of the event excluding the EventChecksum field; this is additional optional data that may be set in the Event Options settings of the Agent. |
| EventSourceId (Optional) | String | Configurable ID/string for identifying the agent/host. This is also optional data like the EventChecksum and is selected likewise. |
Please refer to The Web User Interface (UI) → File Integrity Monitoring page → Log Sources → Telemetry page in this User Guide for instructions on how to configure periodic FIM Telemetry scans in the Snare Agent.
...