Overview
The Snare advanced events search capability allows you to build structured queries using the Snare Query Language (SnareQL) to search for events. You can specify criteria that will allow you to narrow down
- If you don't have complex search criteria, you may want to use the simple search instead;
- If you are not comfortable with the Jira Query Language (JQL), you may want to use basic search instead.
Note, JQL is not a database query language, even though it uses SQL-like syntax.
Snare Central provides close to 150 pre-configured reports to meet common security and compliance needs of our customers.
On top of these, custom reports can be created.
The reports are organised in containers that can be nested. The reports and containers are ordered alphabetically, with containers on top.
By default, the reports will contain objectives relating to:
Active Scanning
- Example: Scan the local network, and report on hosts and open ports that are found.
- Example: Connect to the organisational border router and download the current configuration settings. Compare these settings to an authorised baseline configuration, and highlight any changes that have been made.
Application Audit
- Example: Display a list of inappropriate material that has been accessed through the organisational proxy server.
- Example: List users who have utilised the UNIX 'SUDO' command.
Network
- Example: Display a geographic map of IP addresses that have been denied access by the organisational Checkpoint Firewall.
- Example: Report on the top ten hosts that have initiated a port scan against the organisation, as reported by the gateway network intrusion detection system.
Operating Systems
- Example: Generate a real-time alert when a user outside an authorised list, attempts to access a sensitive file on a Windows file server.
- Example: Send a daily email to security administrators, if the list of users in the Domain Administrators group changes.
Snare Central
- Example: Display a report that shows users who have modified the configuration of any Snare Central objectives.
User and Group Snapshots
- Example: Based on the information provided by the Snare Agent for Solaris, produce a report showing any unauthorised members of the 'sensitivedata' UNIX group.
The reports page offers the ability to:
| Search reports and containers by their name |
| Sort all reports and containers by name in Ascending or Descending order |
| Add new container A new container is a temporary item that only exists for the duration of the session of the current logged in user (ie: two hours by default), and will not be visible to other users of Snare Central. It will not become permanent, or visible to other users, until you add an objective to the container. |
| Add new report (objective) By default, the new objective will be configured with very simple settings. You can then select the objective and proceed with changing the configuration, access controls, or schedule settings to your requirements. |
Drag and drop containers and reports Rearranging the location of an objective, or container, will change the location for all users of Snare - not just your account. | |
| Clone, rename or delete a report (objective) by clicking the ellipsis (...) in the report line and selecting from the actions list. Snare Central does not enforce uniqueness of the objective name, you can potentially have two objectives with exactly the same name, that have different configurations, access controls, and scheduling. However, in order to limit confusion, it is advisable to give an objective unique and descriptive name. When you choose the Delete option, a dialog will appear, notifying you that the objective will be removed for ALL USERS of Snare Central. You will be asked for confirmation before proceeding. Selecting the Delete button from the dialog, will remove the objective, and associated objective configuration settings. |
 | Rename, recursively delete, or export the contents of a container, by clicking the ellipsis (...) in the container line and selecting from the actions list. |
| Dynamic Search | Search for events using a search-engine style interface across multiple log sources, with 'Dynamic Search'. Dynamic Search Dynamic Search may be used to quickly sift through information across multiple log sources, at the expense of completeness. The following filters are available for this tool:
Note that data that arrives at the Snare Server may take up to fifteen minutes to process and become available for this objective. |
Custom reports can be generated using Modular objectives mechanism (also known as 'Dynamic Query objectives')
They will generally include the following components:
- A query builder that allows you to create very complex search criteria, incorporating precedence, logical operations, and advanced matching capabilities.
- A 'Token' definition system that can pull fields contained within particular consistent patterns, out of an event of interest.
- A range of potential output modules, such as 15-minute pattern maps, tabular event data, graphs, and so on.
- The ability to be scheduled to run on a regular, defined basis, and the potential to send output via electronic mail to data owners, system administrators, network administrators, and security administrators.
- Real-time reporting capabilities for events that match the search criteria.
Objective Templates
Snare includes a range of 'templates' (often referred to as an 'Objective Type' in the Snare Central user interface) to make the job of a security administrator easier when crafting a new objective.
These templates are hard-coded in Snare Central, may pre-define custom search criteria for you, will sometimes include custom code to perform tasks, and may be updated and expanded on each release of Snare Central. More information on Objective Templates is available below.