Snare can forward log data to Securonix using their pre-configured parsers. This guide outlines the steps to configure the Snare agent, along with links to the Securonix documentation on how to finalise configuration within Securonix itself.
Follow steps outlined here to install the Snare agent. Agent Installation - Snare Windows Agent v5 Documentation - Confluence
Once the agent is installed, login the web UI (https://localhost:6161) and select “Destination configuration”.
Under the “Network Destinations” section, enter the domain/IP address and port for Snare Reflector, and ensure Format is “Snare” and “Delimiter Character” is “Tab”.
Configure the Snare reflector with the following policies below, specifying the port for each log type as configured in Securonix:
Datasource | Format in Reflector | Filter value (include) | Filter comments |
|---|---|---|---|
Apache Web Server | Syslog RFC 3164 | ApacheLog | |
Microsoft ADFS | Raw | AD FS/Admin | |
Microsoft Defender | Raw | Microsoft-Windows-Windows Defender/Operational | |
Microsoft DHCP | Syslog RFC 3164 | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance name |
Microsoft DNS Server | Syslog RFC 3164 | MSDNSServer | |
Microsoft Exchange Parser | Syslog RFC 3164 | ExchangeLog | |
Microsoft IIS Server | Syslog RFC 3164 | IISWebLog | |
Microsoft Windows Powershell | Syslog RFC 3164 | Microsoft-Windows-PowerShell/Operational | |
Microsoft Windows Snare Application | |||
Microsoft Windows Snare Security | |||
Microsoft Windows Snare System | |||
Microsoft Windows Sysmon | |||
Microsoft Windows Sysmon | |||
RADIUS_NPS | |||
Windows MSSQL Via Syslog SNARE | |||
Windows MSSQL Via Syslog SNARE |
Note: Securonix has various parsers for log data generated and sent from Snare, details on this can be found at the below links.