Agents | Agent Management | Agent Policies page allows to manage configuration and policies of Snare Enterprise Agents. Snare Enterprise Agents connected to SAM can periodically pull their configuration from SAM.
Info |
---|
This functionality is available starting from Snare Agent Manager v2.0.0, and allows to manage configuration of Snare Enterprise Agents starting from version 5.8.0. |
Customers who use AMC to push configuration to the Agents from Snare Central, are encouraged to migrate to this new pull mechanism. Please see AMC to SAM Migration Guide for details.
Agent Policies page in SAM allows to:
Create Groups of Agents using a variety of filters, such as Agent type, version range, IP filters, Hostname regular expression
Automatically assign an Agent to a group, based on group filters
Assign Master Configuration to a group, loaded from either an Agent or from a file
Edit selected fields in master configuration
Configure frequency with which Agents in a group will be connecting to SAM to check for configuration updates
Provide an updated configuration to the connected Agents
Review the Agents assigned to a group and see their configuration status
Table of Contents | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
Prerequisites
A license supporting “Agent Management Console” feature was uploaded to SAM (or Snare Central if SAM is running on the Snare Central server)
Agent Policies are enabled using the slider on the Agent Policies page:
Creating Agents Group
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
Note: all Agents connected to SAM that match the group will become managed by SAM only. Their local configuration will be locked for editing. To keep Master Agent editable, exclude it during the Group Creation byusing Manage Master Agent checkbox (leave unchecked) or by using IP Regex or Hostname Regex filter. |
Click Add New Agent Group icon in Agent Groups panel
Group Name - descriptive name of the Agents Group.
Parent Group - select the parent group.
Note: at this stage only 1 level of nested groups is allowed.Type of Agent - select from the list of the supported Snare Enterprise Agents. Only one Agent Type can be managed by a group.
Version Range - select the range of Agent versions to be managed by this group. Custom range can be defined if required.
Polling Frequency (mins) - after how many minutes the Agents that are matched to this group will check for configuration updates. Note: the actual frequency of pulling configuration may vary by +/- 5 minutes for load distribution purposes.
Note |
---|
Frequent policy checks may cause very high CPU usage by SAM. It is recommended to set polling frequency at 90-120 minutes or higher for optimal SAM performance. |
Master Configuration - needs to be provided in order to create a group. Master configuration can be obtained from either:
Agent - provide address (IP or hostname), port and password of the installed and pre-configured Snare Agent of the same type and version, as this group. The Agent needs to be on the same network and have web port enabled for the connection to work correctly.
File - provide JSON configuration file, exported from the Snare Agent of the same type and version.
Info |
---|
Double-check that the Master Configuration has SAM IP address configured correctly, so that Agents that pull this configuration stay connected to this SAM. |
Click GET MASTER CONFIG button to load the Master Configuration
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
Caution! Once the Agent applies the remote configuration from SAM, its settings get locked, and can not be managed locally anymore. We recommend excluding the Master Agent during Group Creation using Group’s filters to allow future local editing of policies if required. This may be useful, as not all settings are editable via SAM. |
Manage Master Agent - leave this checkbox unchecked if you wish the Master Agent’s configuration to not be managed by SAM, and remain editable locally. Master Agent will be automatically assigned to Unmanaged Agents group. You can explicitly delete it from Unmanaged Agents group in the future, to make it managed by SAM.
If Manage Master Agent checkbox is checked (use with caution!), the Master Agent’s configuration will be remotely managed by SAM exclusively, meaning it will not be editable via Agent UI or local config anymore, even if the checkbox is unchecked in the future.
Note: this setting applies to both Agent and File sources of master configuration.IP Filters - optionally, Agents to be managed by this group can be filtered by:
IP Netmask - select IP Address and Netmask
CIDR Block - select IP Address and CIDR
IP Regex - regular expression to match agent IP against
Optionally, click ADD IP FILTER button to add up to 5 255 IP filters. Agent installed on a machine that matches ANY of these filters will be managed by this group.
Hostname Regex - optionally, further filter the Agents managed by this group by defining a hostname regular expression.
Click Add to create a group of Agents.
Info |
---|
Agents that match the filters defined in this Group will be automatically assigned to this group, and will be able to pull this group’s Master Configuration next time they connect to SAM. Agents will be periodically checking for configuration updates, the frequency of polling can be configured per group. |
Viewing Group Details
Select a group in the left panel.
Click the Group Name tab in the right panel
This panel displays Group Details at the top, including:Agent Types (i.e. Snare Agent for Windows, Snare Agent for Linux, etc.). At the moment only one Agent Type can be managed by a group
Version Range - range of Agent versions managed by this group
Polling Frequency (mins) - after how many minutes the Agents that are matched to this group will check for configuration updates
IP Filters - IP filters for Agents managed by this group
Hostname Regex - hostname filter for Agents managed by this group
Creation Time - time when the group was created (local server time)
Update Time - time when the group was last updated (local server time)
Viewing Agents Assigned to the Group
Select a group in the left panel.
Click Group Name tab in the right panel
This panel displays Group Details followed by the paginated list of Agents assigned to this group.
For each Agent the following details are displayed:Snare Agent Type
Snare Agent Version
IPs and hostname of the machine the Agent is installed on
Last Seen - date and time when the agent last connected to SAM to check for configuration update
Last Update - date and time when the agent last pulled the configuration from SAM
Status can be one of the following:
Pending - the Agent did not yet pull the Master Configuration from SAM
Up to Date- the Agent is up to date with current Master Configuration
Out of Date- the Agent encountered errors applying current Master Configuration.
Click on the status to see the error details, or which parts of configuration are out of date.
Fix the Master Configuration if needed.Standalone - the Agent belongs to a top-level group that has no Master Configuration, hence its local configuration applies.
Unconfigurable- the Agent belongs to a top-level group that has no Master Configuration, but it used to belong to another group, so last group’s Master Config applies. This Agent is still in “Remote” management mode and cannot be locally configured, hence the name of the status.
Action
Click ellipsis in Agent row to perform operations on an Agent in this group.Delete - Snare Agent can be deleted from a group. This may be useful for removal of disconnected agents. If the Agent connects again, it will be treated as a new Agent, and will be assigned to the first matching group again.
Viewing Group’s Master Configuration
Select a group in the left panel.
Click Master Configuration tab in the right panel.
On top of the panel basic details of the Master Configuration are displayed:Name - auto-generated name
Master Configuration Version - starts at 1.0.0 and auto-increments every time groups Master Configuration is modified
Last Updated - time stamp of last Master Configuration update for this group (in local server time)
Followed by:Source Agent section that provides details of the Master Configuration origin, including Agent Type, hostname, version and IP(s).
Followed by:Agent Configuration sections, for example: Destination Configuration, General Configuration, etc. These sections may vary for different Agent Types.
Updating Group’s Master Configuration
There are 3 ways to update the Master Configuration:
Edit Master Configuration in SAM
Select a group in the left panel.
Click Master Configuration tab in the right panel
Find a setting you wish to edit and if it is editable, edit its value.
Click Edit button to save changes
Edit Network/File Destination Configuration
Expand Destination Configuration
Expand Network or File Destination
Edit DestinationX, where X is the index of the available destination
Edit available settings for a destination
Click Edit button to save changes
Add Network/File Destination Configuration
Click the icon, located on right side of Network/File Destination
Enter settings for Network/File Destination
Click Add button to add the Network/File Destination
Add/Edit Windows Audit Policies (Only for Enterprise Snare/Snare Desktop/Snare WEC)
Expand Audit Policy Configuration
Edit Audit Policy
Click Edit button to save the changes
To add new audit policy, click the icon, located on right side of Audit Policy Configuration
Click Add button to save changes
Add/Edit File Audit Policy (FAM) / Registry Audit Policy (RAM) (Only for Enterprise Snare/Snare Desktop/Snare WEC)
Expand FAM / RAM
Expand FAMx / RAMx, where x is the index of the FAM / RAM policy
To add new FAM / RAM, click the icon, located on right side of FAM / RAM
Click Add button to save changes
Get Master Configuration from an Agent
Select a group in the left panel.
Click ellipsis (…) and Select Edit
In Update Agent Group dialog, under Master Configuration section, enter details of the pre-configured Agent
Click GET MASTER CONFIG
Click Edit
Get Master Configuration from a JSON file
Pre-configure Snare Agent and export its configuration into JSON file
(see relevant Agent Type’s User Guide | Managing Agent Configuration | Snare Agent Manager | Exporting Agent Configuration as JSON)Select a group in the left panel.
Click ellipsis (…) and Select Edit
In Update Agent Group dialog, under Master Configuration section, provide path to the JSON file
Click GET MASTER CONFIG
Click Edit
After the Master Configuration is updated, the Agents assigned to the group will get this configuration next time they connect to SAM (based on the configured polling frequency)
Updating Group Details
Click on a Group in the left panel.
Click ellipsis (…) and Select Edit
In the Update Agent Group dialog, update details as required
Click Edit
The Agents will be automatically reassigned to match the group filters, and will be managed by this group next time they connect to SAM.
Deleting a Group
Click on a Group in the left panel.
Click ellipsis (…) and Select Delete
In the confirmation dialog select Delete
The Agents will be automatically reassigned to other matching groups
Viewing non-managed Agents
Agents that do not belong to any user-defined Group will belong to one of the pre-defined groups:
Unsupported Agents
Select Unsupported Agents group in the left panel
In the right panel see group details and the list of its Agents.
These are Snare Agents from versions earlier than 5.8.0 that are connected to this SAM.
The configuration of these Agents can not be managed.
Unsupported Agents group serves as a reminder to upgrade these Snare Agents in order to be able to manage their configuration via SAM.
Supported Agents
Select Supported Agents group in the left panel
In the right panel see group details and the list of Agents.
These are Snare Agents version 5.8.0 or newer that are connected to this SAM but do not match any user-defined group, hence their configuration is not managed by SAM.
Unmanaged Agents
Select Unmanaged Agents group in the left panel
In the right panel see group details and the list of Agents.
These are Snare Agents version 5.8.0 or newer whose configuration is not managed by SAM.
An agent is added to this group if its configuration is used as a master for one of the user-defined groups, and user opted to not manage the master agent when creating or updating the group:To allow the Agent to be managed again, delete the Agent from the Unmanaged Agents group.
The Agent will get assigned to first matching group next time it connects to SAM.