There needs to be performed following three steps, before Snare can capture the FAM / RAM events.
1. Enable FAM / RAM Events in Windows Security Policy
Open the Windows Security Policy (from Contrrol Panel / Administrative Tools on local machine or via GPO on Domain Control) and enable the following settings:
If audit policy cannot be enabled in "Seucrity Options" then it needs to be enabled in "Advanced Audit Policy Configurations":
2. Enable Auditing on File / Folder / Registry
It is recommended to enable the following settings in "General Confguration" and then Snare can take care of enabling the auditing on File / Folder / Registry.
This setting can also be enabled manually by the user. In case, if user want to enable it manually then enable via following steps:
- Rick click the File / Folder => Properties
- Security tab => Advanced
- Auditing tab => Add
- Select auditing settings as per requirement
For registry:
- Right click => Permissions
- Advanced
- Auditing tab => Add
- Select auditing settings as per requirement
3. Create FAM / RAM Audit Policy
This can be done via creating FAM / RAM audit policy in Snare. See the details on "Audit Policy Configuration" page in documentation
Sequence of these three steps is not important. But Snare will not capture the FAM / RAM events untill all three steps are performed.