What is an Objective?

An objective is a generic name for an interactive report, which performs a specific task or implements a set of analysis rules that are intended to derive useful information from event log data that is collected by Snare Central.

In most circumstances, the term 'Objective' refers to the set of clickable items found in the 'Reports' section of Snare Central - these are generally known as 'Modular Objectives'. However, the term 'objective' is also used interchangeably for items in the 'Status', and 'System' sections.

Modular Objectives

The objectives that are found within the 'Reports' section of the Snare Central user interface are known as 'Modular Objectives'. A modular objective is highly configurable, and generally includes:

• A query builder that allows you to create very complex search criteria, incorporating precedence, logical operations, and advanced matching capabilities.
• A 'Token' definition system that can pull fields contained within particular consistent patterns, out of a larger string.
• A range of potential output modules, such as 15-minute pattern maps, tabular event data, graphs, and so on.
• The ability to be scheduled to run on a regular, defined basis, and the potential to send output via electronic mail to data owners, system administrators, network administrators, and security administrators.
• Real-time reporting capabilities for events that match the search criteria.

Modular objectives are discussed in more detail below.

System and Status Objectives

The objectives found in the Status area of Snare Central, generally provide overview information on total collection volumes and speeds, and checks associated with the health of Snare Central and its associated agents. The System area provides access to objectives that perform general system administrative tasks, or facilitate agent management activities.

What is an Event?

Snare objectives create reports based on events that are generated by servers, workstations, applications or appliances. An event in Snare is a significant occurrence that is used to track or benchmark an organisation's performance or security. All events used in Snare will express the following properties:

The first characteristic of an event is that it occurs in the time scale. Time scale is very important as events are time dependent. All events in Snare are time tracked. In many objectives the organisation of events is wholly based on the time of the occurrence.

Events can be grouped, or referred to, based on the type of event.

Within an event group, the actual occurrence is given an event name using data from the actual event.

Any system information at the time of the event can also be stored, and is Objective/event dependent. Shown below is a very generalized example of an event, and does not reflect the nature or structure of data stored by Snare. 

Working with Objectives

Objectives on Snare Central, whether modular, or otherwise, generally share two common features - the ability to set access controls, and the ability to configure the objective. There are some exceptions; for example, the 'System Status' objective within the 'Status' area, does not offer any configuration options.

Accessing Objectives

The objective navigation panel provides a tree-like view of the set of objectives that are available to you. Access controls, set by the Snare Central Administrator, may limit your view of objectives to a subset of those available.

To access an objective, single-left-click on either the text, or the icon associated with the objective you wish to display. The objective panel will update with the output from the objective as at its most recent regeneration point.

Configuring Objectives 

Once you have accessed an objective by clicking on its icon or title within the objective navigation panel, the 'Configuration' button in the top panel can be clicked to modify the settings associated with the objective.

Once clicked, a new dialog will appear in the objective navigation panel. Configuration settings for modular objectives will be covered in more detail later in this document, but configuration dialogs will generally share the following common components:

• A title that tells you which objective you are currently changing.
• A series of form elements that will allow you to change settings associated with the objective.
• A "Set" button, to confirm the actions you have undertaken.
• A "Cancel" button, which will revert the objective configuration back to its previously saved state.

Scheduling an Objective

Objectives can be configured to automatically regenerate on a periodic basis. Click on the 'Schedule' button in the top panel, in order to modify both the regeneration schedule for an objective, and also the users and/or groups who should receive an electronic mail message in the event that the objective produces data.

Objectives can be configured to regenerate:

• Hourly
• Daily
• Weekly
• Monthly
• Quarterly
• Yearly, or
• Once only, at a specified year, month, date and time (5 minute granularity).

In addition, each schedule configuration option has some additional flexibility available; for example, the 'Hourly' setting can be modified so that the objective always regenerates at 40 minutes past the hour. A 'Weekly' objective can be forced to regenerate every Tuesday, at 3:05 PM.

Each objective can have its own email distribution list. It is also possible to specify that emails are only sent out if there is something to report for that objective. Electronic mail can be sent either to all members of a Snare Central group, or individual recipients can be specified.

Regenerating an Objective

In addition to scheduling an objective to be regenerated, a user can interactively submit the currently displayed objective for immediate regeneration by clicking on the Regenerate / Refresh icon. This will add the objective to the regeneration queue, and display the Queue dialog to track progress.

Objective Queue

The Snare Central objective queue dialog can be accessed by the 'Queue' icon in the top panel. It will also automatically appear when the currently displayed objective, is manually added to the regeneration queue by clicking the 'Regenerate' button as discussed above.

When an objective is in the regeneration queue, the Queue icon will also turn red to signify that one or more objectives are currently regenerating.

The Queue dialog lists the six objectives that are currently highest in the regeneration queue. For those objectives that are actively regenerating, the following information, and options, are presented:

• The objective title, and icon.
• A 'Terminate Objective' button, which will halt regeneration of the objective.
• For modular objectives, an 'Interactive Results' button, which will attempt to display a snapshot of the results that are currently being retrieved from the Snare Central data store.
• A progress bar that shows the approximate completion state of the objective.
• Information on:
  • When the regeneration process was started.
  • The time taken for the previous regeneration of this objective.
  • An estimated completion time (absolute, and elapsed).
• Any status updates delivered by the objective.

For objectives that are not yet regenerating, the following information, and options, are presented:

• The objective title, and icon.
• A 'Remove from Queue' button, which will delete the objective from the regeneration queue.

Information on how many objectives are currently in the regeneration queue, but are not displayed in the current dialog, is also available at the bottom of the dialog window.

When the currently displayed objective is either in the regeneration queue, or actively regenerating, a notification will also appear in the top-right-hand corner of the objective panel.

Access Control

Every objective created on Snare Central can be individually secured so that only authorized staff have access to it. Access is granted at group level; therefore, a user must be attached to a group in order to view or change an objective.

One of two levels can be granted:

• Write access. This provides a user with the ability to change the configuration settings for the objective.
• Read access. This provides a user with access to view the output of this objective, and also regenerate the objective.

In addition, users who create, or clone an objective, are identified as the owner of the objective. Both the owner, and Snare Central administrators have the ability to:

• Delete the objective, and
• Add new users to the objective.
   

In situations where access controls need to be applied to an entire folder of objectives, recursively, the 'Reports' navigation panel offers a 'Folder Permissions' menu option when you right click on a folder.

Selecting the "Folder Permissions" option will generate a dialog box that lists the Groups that are currently defined on Snare Central, and provides the opportunity to add or remove groups from the 'Read' or 'Configure' capabilities.

Objective Documentation

Objective documentation is available at the top of the main objective output panel. By default, the objective will display text that has been either:

• Hard coded in Snare Central, for the particular log source from which the objective derives its data, or
• Encoded with the actual objective, in the case of objectives that have been imported from the InterSect Alliance objective download area.

However, objective documentation can be added to, or modified, by those that have the ability to configure an objective. Double-clicking on the text of the documentation, will bring an editable field, that provides you with basic word-processor style functionality, such as font sizes, colours, and weights.

Clicking on the green 'Tick', will save the current documentation. The red 'cross' will cancel the current edits.