| Info |
|---|
FAM and RAM functionality is available starting from Snare Agent for Windows v5.6.0 |
There needs to be performed following three steps, before Snare can capture the FAM / RAM events.
1. Enable FAM / RAM Events in Windows Security Policy
| Info |
|---|
This step is done automatically in Snare Agents v5.7.1 or newer, assuming the following setting in General Configuration is checked: |
Open the Windows Security Policy (from Contrrol Panel / Administrative Tools on local machine or via GPO on Domain Control) and enable the following settings:
If audit policy cannot be enabled in "Seucrity Options" then it needs to be enabled This setting will enable audting for all the system objects including the File system and Registry. This can flood the security log. Unless required, it is strongly recommended only turn on the auditing for the File system and Registry in "Advanced Audit Policy Configurations":
...
It is recommended to enable the following settings setting in "General Confguration" of the Snare Agent and then Snare can take care of enabling the auditing on File / Folder / Registry.
This setting can also be enabled manually by the user. In case, if user want to enable it manually then enable via following steps:
...