Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Agents | Agent Management | Agent Policies page allows to manage configuration and policies of Snare Enterprise Agents. Snare Enterprise Agents connected to SAM can periodically pull their configuration from SAM.

This functionality is available starting from Snare Agent Manager v2.0.0, and allows to manage configuration of Snare Enterprise Agents starting from version 5.8.0.

Customers who use AMC to push configuration to the Agents from Snare Central, are encouraged to migrate to this new pull mechanism. Please see AMC to SAM Migration Guide for details.

Agent Policies page in SAM allows to:

  • Create Groups of Agents using a variety of filters, such as Agent type, version range, IP filters, Hostname regular expression

  • Automatically assign an Agent to a group, based on group filters

  • Assign Master Configuration to a group, loaded from either an Agent or from a file

  • Edit selected fields in master configuration

  • Configure frequency with which Agents in a group will be connecting to SAM to check for configuration updates

  • Provide an updated configuration to the connected Agents

  • Review the Agents assigned to a group and see their configuration status 

AgentPolicies1_1_SAM2.0.1.png

Prerequisites

  • A license supporting “Agent Management Console” feature was uploaded to SAM (or Snare Central if SAM is running on the Snare Central server)

  • Agent Policies are enabled using the slider on the Agent Policies page:

Creating Agents Group

Note: all Agents connected to SAM that match the group will become managed by SAM only. Their local configuration will be locked for editing. To keep Master Agent editable, exclude it during the Group Creation by using Manage Master Agent checkbox (leave unchecked) or by using IP Regex or Hostname Regex filter.

  • Click Add New Agent Group icon in Agent Groups panel

  • Group Name - descriptive name of the Agents Group.

  • Parent Group - select the parent group.
    Note: at this stage only 1 level of nested groups is allowed.

  • Type of Agent - select from the list of the supported Snare Enterprise Agents. Only one Agent Type can be managed by a group.

  • Version Range - select the range of Agent versions to be managed by this group. Custom range can be defined if required.

  • Polling Frequency (mins) - after how many minutes the Agents that are matched to this group will check for configuration updates. Note: the actual frequency of pulling configuration may vary by +/- 5 minutes for load distribution purposes.

Frequent policy checks may cause very high CPU usage by SAM. It is recommended to set polling frequency at 90-120 minutes or higher for optimal SAM performance.

CreateGroupDialog.png

  • Master Configuration - needs to be provided in order to create a group. Master configuration can be obtained from either:

    • Agent - provide address (IP or hostname), port and password of the installed and pre-configured Snare Agent of the same type and version, as this group. The Agent needs to be on the same network and have web port enabled for the connection to work correctly.

    • File - provide JSON configuration file, exported from the Snare Agent of the same type and version.

Double-check that the Master Configuration has SAM IP address configured correctly, so that Agents that pull this configuration stay connected to this SAM.

  • Click GET MASTER CONFIG button to load the Master Configuration

Caution! Once the Agent applies the remote configuration from SAM, its settings get locked, and can not be managed locally anymore. We recommend excluding the Master Agent during Group Creation using Group’s filters to allow future local editing of policies if required. This may be useful, as not all settings are editable via SAM.

  • Manage Master Agent - leave this checkbox unchecked if you wish the Master Agent’s configuration to not be managed by SAM, and remain editable locally. Master Agent will be automatically assigned to Unmanaged Agents group. You can explicitly delete it from Unmanaged Agents group in the future, to make it managed by SAM.
    If Manage Master Agent checkbox is checked (use with caution!), the Master Agent’s configuration will be remotely managed by SAM exclusively, meaning it will not be editable via Agent UI or local config anymore, even if the checkbox is unchecked in the future.
    Note: this setting applies to both Agent and File sources of master configuration.

  • IP Filters - optionally, Agents to be managed by this group can be filtered by:

    • IP Netmask - select IP Address and Netmask

    • CIDR Block - select IP Address and CIDR

    • IP Regex - regular expression to match agent IP against

  • Optionally, click ADD IP FILTER button to add up to 5 IP filters. Agent installed on a machine that matches ANY of these filters will be managed by this group.

  • Hostname Regex - optionally, further filter the Agents managed by this group by defining a hostname regular expression.

  • Click Add to create a group of Agents.

Agents that match the filters defined in this Group will be automatically assigned to this group, and will be able to pull this group’s Master Configuration next time they connect to SAM.

Agents will be periodically checking for configuration updates, the frequency of polling can be configured per group.

Viewing Group Details

  • Select a group in the left panel.

  • Click the Group Name tab in the right panel
    This panel displays Group Details at the top, including:

    • Agent Types (i.e. Snare Agent for Windows, Snare Agent for Linux, etc.). At the moment only one Agent Type can be managed by a group

    • Version Range - range of Agent versions managed by this group

    • Polling Frequency (mins) - after how many minutes the Agents that are matched to this group will check for configuration updates

    • IP Filters - IP filters for Agents managed by this group

    • Hostname Regex - hostname filter for Agents managed by this group

    • Creation Time - time when the group was created (local server time)

    • Update Time - time when the group was last updated (local server time)

Viewing Agents Assigned to the Group

AgentPolicies2_1_SAM2.0.1.png
  • Select a group in the left panel.

  • Click Group Name tab in the right panel
    This panel displays Group Details followed by the paginated list of Agents assigned to this group.
    For each Agent the following details are displayed:

    • Snare Agent Type

    • Snare Agent Version

    • IPs and hostname of the machine the Agent is installed on

    • Last Seen - date and time when the agent last connected to SAM to check for configuration update

    • Last Update - date and time when the agent last pulled the configuration from SAM

    • Status can be one of the following:

      • Pending - the Agent did not yet pull the Master Configuration from SAM

      • Up to Date - the Agent is up to date with current Master Configuration

      • Out of Date - the Agent encountered errors applying current Master Configuration.
        Click on the status to see the error details, or which parts of configuration are out of date.
        Fix the Master Configuration if needed.

      • Standalone - the Agent belongs to a top-level group that has no Master Configuration, hence its local configuration applies.

      • Unconfigurable - the Agent belongs to a top-level group that has no Master Configuration, but it used to belong to another group, so last group’s Master Config applies. This Agent is still in “Remote” management mode and cannot be locally configured, hence the name of the status.

    • Action
      Click ellipsis image-20240614-004036.png in Agent row to perform operations on an Agent in this group.

      • Delete - Snare Agent can be deleted from a group. This may be useful for removal of disconnected agents. If the Agent connects again, it will be treated as a new Agent, and will be assigned to the first matching group again.

Viewing Group’s Master Configuration

AgentPolicies3_SAM2.0.1.png
  • Select a group in the left panel.

  • Click Master Configuration tab in the right panel.
    On top of the panel basic details of the Master Configuration are displayed:

    • Name - auto-generated name

    • Master Configuration Version - starts at 1.0.0 and auto-increments every time groups Master Configuration is modified

    • Last Updated - time stamp of last Master Configuration update for this group (in local server time)
      Followed by:

    • Source Agent section that provides details of the Master Configuration origin, including Agent Type, hostname, version and IP(s).
      Followed by:

    • Agent Configuration sections, for example: Destination Configuration, General Configuration, etc. These sections may vary for different Agent Types.

Updating Group’s Master Configuration

There are 3 ways to update the Master Configuration:

Edit Master Configuration in SAM

AgentPolicies4_SAM2.0.1.png
  • Select a group in the left panel.

  • Click Master Configuration tab in the right panel

  • Find a setting you wish to edit and if it is editable, edit its value.

  • Click Edit button to save changes

  • Edit Network/File Destination Configuration

    • Expand Destination Configuration

    • Expand Network or File Destination

    • Edit DestinationX, where X is the index of the available destination

    • Edit available settings for a destination

    • Click Edit button to save changes

  • Add Network/File Destination Configuration

    • Click the image-20241011-023616.png icon, located on right side of Network/File Destination

    • Enter settings for Network/File Destination

    • Click Add button to add the Network/File Destination

image-20241011-041634.png
  • Add/Edit Windows Audit Policies (Only for Enterprise Snare/Snare Desktop/Snare WEC)

    • Expand Audit Policy Configuration

    • Edit Audit Policy

    • Click Edit button to save the changes

    • To add new audit policy, click the image-20241011-023616.png icon, located on right side of Audit Policy Configuration

    • Click Add button to save changes

  • Add/Edit File Audit Policy (FAM) / Registry Audit Policy (RAM) (Only for Enterprise Snare/Snare Desktop/Snare WEC)

    • Expand FAM / RAM

    • Expand FAMx / RAMx, where x is the index of the FAM / RAM policy

    • To add new FAM / RAM, click the image-20241011-023616.png icon, located on right side of FAM / RAM

    • Click Add button to save changes

Get Master Configuration from an Agent

  • Select a group in the left panel.

  • Click ellipsis (…) and Select Edit

  • In Update Agent Group dialog, under Master Configuration section, enter details of the pre-configured Agent

  • Click GET MASTER CONFIG

  • Click Edit

Get Master Configuration from a JSON file

  • Pre-configure Snare Agent and export its configuration into JSON file
    (see relevant Agent Type’s User Guide | Managing Agent Configuration | Snare Agent Manager | Exporting Agent Configuration as JSON)

  • Select a group in the left panel.

  • Click ellipsis (…) and Select Edit

  • In Update Agent Group dialog, under Master Configuration section, provide path to the JSON file

  • Click GET MASTER CONFIG

  • Click Edit

After the Master Configuration is updated, the Agents assigned to the group will get this configuration next time they connect to SAM (based on the configured polling frequency)

Updating Group Details

  • Click on a Group in the left panel.

  • Click ellipsis (…) and Select Edit

  • In the Update Agent Group dialog, update details as required

  • Click Edit

The Agents will be automatically reassigned to match the group filters, and will be managed by this group next time they connect to SAM.

Deleting a Group

  • Click on a Group in the left panel.

  • Click ellipsis (…) and Select Delete

  • In the confirmation dialog select Delete

The Agents will be automatically reassigned to other matching groups

Viewing non-managed Agents

Agents that do not belong to any user-defined Group will belong to one of the pre-defined groups:

Unsupported Agents

  • Select Unsupported Agents group in the left panel

  • In the right panel see group details and the list of its Agents.
    These are Snare Agents from versions earlier than 5.8.0 that are connected to this SAM.
    The configuration of these Agents can not be managed.
    Unsupported Agents group serves as a reminder to upgrade these Snare Agents in order to be able to manage their configuration via SAM.

Supported Agents

  • Select Supported Agents group in the left panel

  • In the right panel see group details and the list of Agents.
    These are Snare Agents version 5.8.0 or newer that are connected to this SAM but do not match any user-defined group, hence their configuration is not managed by SAM.

Unmanaged Agents

  • Select Unmanaged Agents group in the left panel

  • In the right panel see group details and the list of Agents.
    These are Snare Agents version 5.8.0 or newer whose configuration is not managed by SAM.
    An agent is added to this group if its configuration is used as a master for one of the user-defined groups, and user opted to not manage the master agent when creating or updating the group:

  • To allow the Agent to be managed again, delete the Agent from the Unmanaged Agents group.
    The Agent will get assigned to first matching group next time it connects to SAM.

  • No labels