/
Modular Objectives

Modular Objectives

Owned by maria ieropoulos
Last updated: Aug 22, 2019 by Leigh Purdie (Unlicensed)

Overview

Modular objectives are the core of Snare's analysis capabilities. They are found within the 'Reports' section of the Snare Central user interface, and are highly configurable. They will generally include the following components:

  • A query builder that allows you to create very complex search criteria, incorporating precedence, logical operations, and advanced matching capabilities.
  • A 'Token' definition system that can pull fields contained within particular consistent patterns, out of an event of interest.
  • A range of potential output modules, such as 15-minute pattern maps, tabular event data, graphs, and so on.
  • The ability to be scheduled to run on a regular, defined basis, and the potential to send output via electronic mail to data owners, system administrators, network administrators, and security administrators.
  • Real-time reporting capabilities for events that match the search criteria.

Objective Templates

Snare includes a range of 'templates' (often referred to as an 'Objective Type' in the Snare Central user interface) to make the job of a security administrator easier when crafting a new objective.

These templates are hard-coded in Snare Central, may pre-define custom search criteria for you, will sometimes include custom code to perform tasks, and may be updated and expanded on each release of Snare Central. More information on Objective Templates is available below.

Arranging

The Reports objective navigation panel provides an interactive tree, allowing you to not only view the objectives that are available, but also to rearrange objectives in a custom structure.

Although Snare Central presents the objectives in alphabetical order (containers first, then objectives), you can:

  • Create new containers in which to store objectives.
  • Move objectives from one container to another.
  • Move containers to another container, or back to the root of the tree.


Rearranging the location of an objective, or container, will change the location for all users of Snare - not just your account.
When you expand or contract a particular container within the Reports area, Snare will save this information off, so that the same settings will be applied next time you log in.

Creating

Creating a New Container

At the base of the Reports objective navigation panel, is the "Add new Container" link (item 1, in the navigation graphic to the right). Clicking this link will create a container called "New Container", which will be inserted into the navigation tree in the appropriate alphabetised position (item 2, in the navigation graphic to the right).

A new container is a temporary item that only exists for two hours, and will not be visible to other users of Snare Central. It will not become permanent, or visible to other users, until you add an objective to the container.



Creating a New Objective

Near the base of the Reports objective navigation panel, is the "Add new Objective" link (item 1, in the navigation graphic to the right). Clicking this link will create a new objective (called 'New Objective'), which will be inserted into the navigation tree in the appropriate alphabetised position (item 2, in the navigation graphic to the right).

By default, the new objective will be configured with very simple settings.

Once the objective is visible on your navigation panel, you can select it using your left mouse button, and change the configuration, access controls, or schedule settings to your requirements.




Cloning

Right-clicking on an existing modular objective will raise a pop-up menu (otherwise known as a 'context menu'). From the menu, you can select the 'Clone' option in order to make a functional copy of the objective you selected.

Once you have clicked the clone option, the new objective will be added to the Reports navigation panel, with the name of the original objective appended with '-Clone' (eg: "Test Objective" will become "Test Objective-Clone"). A new dialog will appear in the main objective display panel, giving you the opportunity to rename the objective.

Renaming

From the pop-up menu that appears when you click your right-mouse-button, the 'Rename' option will provide you with the opportunity to change the name of an objective, or a container.
Renaming an Objective
Enter a new name for the objective or folder, and click the 'Rename' button to complete the process. 
 

Objectives each have a unique 'Objective ID'. Since it is the objective ID that is used by Snare Central to differentiate objectives, you can potentially have two objectives with exactly the same name, that have different configurations, access controls, and scheduling. Although Snare will be happy to allow this, in order to limit confusion, it may be worth avoiding this practice. 
Renaming a container takes a little longer than renaming an objective, since Snare has to recursively search through the contents of the container, and modify the path of each objective contained therein.

Removing

Individual Objectives

When you choose the 'Delete' option from the context menu, a dialog will appear, notifying you that the objective will be removed for ALL USERS of Snare Central, and will ask for confirmation before proceeding.

Selecting the 'Delete' button from the dialog, will remove the objective, and associated objective configuration settings.
Removing an Objective

Containers

Right-clicking on a container, will allow you to remove all objectives within the container that your Snare Central user account has permission to remove.

A dialog will appear, notifying you that the objectives will be removed for ALL USERS of Snare Central, and will ask for confirmation before proceeding.

In a situation where you have chosen to remove a container, but you do not have permission to remove some or all of the underlying objectives, Snare Central will check each objective for authorisation, and only remove those that you are authorised to delete. In this case, the original container will remain after the process has completed.
Removing a Container

Icon

Snare generally selects an icon for an objective by examining (in descending priority order):

  • The icon associated with the objective from which the current objective has been cloned.
  • The icon for the 'Objective Type' (eg: Windows logins) from which the objective is descended.
  • The icon for the 'log type' (eg: Windows Security) that the objective scans.


However, you can set a specific custom icon for an objective by choosing the 'Change Icon' option from the objective context menu. A dialog will appear on the main objective panel, that provides a selection of icons. Choose the 'Select' button to finalise the selection.
Changing the Icon for an Objective

Related content

Regulatory Reporting
Regulatory Reporting
Snare Central v7 Documentation
Read with this
Objectives - An Overview v8.0.0
Objectives - An Overview v8.0.0
Snare Central v8 Documentation
More like this
Reports
Reports
Snare Central v8 Documentation
Read with this
Objectives - An Overview
Objectives - An Overview
Snare Central v7 Documentation
More like this
Reports - Configuration & Output
Reports - Configuration & Output
Snare Central v8 Documentation
More like this
Overview of Sections v8.0.0
Overview of Sections v8.0.0
Snare Central v8 Documentation
More like this