For non-admin user, following additional steps are required to run the Snare Enterprise Agent.
This page is applicable to:
Snare Enterprise Agent for Windows
Snare Enterprise Agent for Windows Desktop
Snare Enterprise Agent for Windows with Event Collection (WEC)
Prior to installation
Grant non-admin service account "Log on as a Service" rights. The details are given here https://learn.microsoft.com/en-us/system-center/scsm/enable-service-log-on-sm?view=sc-sm-2022
Non-admin service account is a member of Event Log Readers
Full Permissions to the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Application
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\System
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My
After installation
Full Permissions to the following registry key for Snare Enterprise and Snare Desktop:
HKEY_LOCAL_MACHINE\SOFTWARE\InterSect Alliance\AuditService
Full Permissions to the following registry key for Snare WEC:
HKEY_LOCAL_MACHINE\SOFTWARE\InterSect Alliance\SnareWEC
A restart of the Snare service is required after that
Further more, with non-admin user, these settings from General Configuration page will not work
Allow SNARE to automatically set audit configuration?
Use Advanced Auditing
Including for 'Any event(s)' audit policies
Allow Snare to automatically set auditing of file/folder and registry for FAM/RAM policies?
Allow SNARE to automatically set max event log cache size
Enable active USB auditing
IIS Log Flushing?