Example of the Telemetry events generated by a Snare Enterprise Agent for Windows:
| Info | ||
|---|---|---|
| ||
This example shows the events in Snare format. The first four fields are the event header and may be formatted differently in other event formats (i.e. SYSLOG) |
...
. |
Example with checksums:
1. Formats
The following formats are possible formats for telemetry events:
SNARE
<Hostname> TelemetryLog <SeverityLevel> <TimeCreated(YYYY-MM-DD HH:MM)> <MetricType> <InstanceName> <EventName> <Value>SNARE V2
<Hostname> TelemetryLog <SeverityLevel> {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>"},"System":{"TimeCreated":{"SystemTime":"<SystemTime(YYYY-MM-DDTHH:MM.ssssssZ)>","LocalTime":"<LocalTime(YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)>"}}}} SYSLOG (RFC3164)
<<SyslogPriority>><TimeCreated(MMM DD HH:MM:SS)> <Hostname> TelemetryLog <SeverityLevel> <TimeCreated(YYYY-MM-DD HH:MM)> <MetricType> <InstanceName> <EventName> <Value>SYSLOG Alt (RFC5424 Compatible)
<<SyslogPriority>><TimeCreated(MMM DD HH:MM:SS)> <Hostname> TelemetryLog[<SeverityLevel>]:<TimeCreated(YYYY-MM-DD HH:MM)> <MetricType> <InstanceName> <EventName> <Value>SYSLOG (RFC5424)
<<SyslogPriority>><SyslogVersion> <TimeCreated(YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - TelemetryLog - <SeverityLevel> <TimeCreated(YYYY-MM-DD HH:MM)> <MetricType> <InstanceName> <EventName> <Value>CEF
<TimeCreated(MMM DD HH:MM:SS)> <Hostname> CEF:<CEFVersion>|<CompanyName>|<ProductName>|<ProductVersion>|TelemetryLog|<EventName>|<CEFSeverity>|value=<Value> dvchost=<Hostname> msg=<YYYY-MM-DD>|<hh:mm:ss>|<MetricType>|<InstanceName>|<EventName>|<Value>LEEF
<TimeCreated(MMM DD HH:MM:SS)> <Hostname> LEEF:<LEEFVersion>|<CompanyName>|<ProductName>|<ProductVersion>|TelemetryLog|URL=TelemetryLog sev=<LEEFSeverity> resource=<Hostname> value=<Value> msg=<TimeCreated(YYYY-MM-DD HH:MM)> <MetricType> <InstanceName> <EventName> <Value>SYSLOG JSON
<<SyslogPriority>><SyslogVersion> <TimeCreated(YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - TelemetryLog - <SeverityLevel> {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>"}}}2. Telemetry Event Fields
Below is a table describing the contents of a Telemetry Event generated by Snare Agent.
| Field | Type | Description |
|---|---|---|
| Hostname | String | The host name of the originating computer. |
| EventType | String | TelemetryLog - the type of event generated. |
SecurityLevelSeverityLevel | Integer | The severity level (Criticality) of the generated event. |
| TimeCreated | Datetime | The time at which the telemetry event was . (YYYY-MM-DDThh:mm:ss) |
| DigestType | String | SHA512 - the hashing algorithm used. |
| EventAction | String | One of CHANGE, DELETE, RENAME or NEW. |
| MetricType | String | CPU|DSK|MEM|NET |
InstanceName (May change to ObjectName)created. The format of the time depends on the log format that is selected. | ||
| MetricType | String | This is the hardware component source of the event; Events from the CPU, Disk, Memory or Network can be collected and are labelled as CPU, DSK, MEM or NET respectively. |
InstanceName | String | The name of the hardware interface the event is sourced. For example, if events from the Disk (DSK) are collected, there may be multiple storage interfaces present such as HarddiskVolume1, HarddiskVolume2, etc. |
| EventName | String | The name of the metric of the hardware interface. Given a hardware interface named by it's InstanceName, the EventName denotes the metric of the interface that is collected. Eg, EventName: ' % Free Space' from InstanceName:'HarddiskVolume1' |
| Value | Float | The value of the metric. | ObjectOwner
| EventChecksum (Optional) | String | The | owner of the object that the change was detected on.
| ObjectMTime | Datetime | The modification time (mtime) of the object when the change is detected. (YYYY-MM-DDThh:mm:ss) |
| EventChecksum | String | The calculated digest (checksum) valuecalculated SHA3-512 hash of the event excluding the EventChecksum field; this is additional optional data that may be set in the Event Options settings of the Agent. |
| EventSourceId (Optional) | String | Configurable ID/string for identifying the agent/host. This is also optional data like the EventChecksum and is selected likewise. |
Please refer to The Web User Interface (UI) → File Integrity Monitoring page → Log Sources → Telemetry page in this User Guide for instructions on how to configure periodic FIM Telemetry scans in the Snare Agent.
...