There needs to be performed following three steps, before Snare can capture the FAM / RAM events.
1. Enable FAM / RAM Events in Windows Security Policy
Open the Windows Security Policy (from Contrrol Panel / Administrative Tools on local machine or via GPO on Domain Control) and enable the following settings:
This setting will enable audting for all the system objects including the File system and Registry. This can flood the security log. Unless required, it is strongly recommended only turn on the auditing for the File system and Registry in "Advanced Audit Policy Configurations":
2. Enable Auditing on File / Folder / Registry
It is recommended to enable the following settings in "General Confguration" and then Snare can take care of enabling the auditing on File / Folder / Registry.
This setting can also be enabled manually by the user. In case, if user want to enable it manually then enable via following steps:
- Rick click the File / Folder => Properties
- Security tab => Advanced
- Auditing tab => Add
- Select auditing settings as per requirement
For registry:
- Right click => Permissions
- Advanced
- Auditing tab => Add
- Select auditing settings as per requirement
3. Create FAM / RAM Audit Policy
This can be done via creating FAM / RAM audit policy in Snare. See the details on "Audit Policy Configuration" page in documentation
Sequence of these three steps is not important. But Snare will not capture the FAM / RAM events untill all three steps are performed.