Reports

Overview


Snare Central provides over 650 pre-configured reports to meet common security and compliance needs of our customers.
On top of these, custom reports can be created.

The reports are organised in containers that can be nested. The reports and containers are ordered alphabetically, with containers on top.


By default, the reports will contain objectives relating to:

Active Scanning

  • Example: Scan the local network, and report on hosts and open ports that are found.
  • Example: Connect to the organisational border router and download the current configuration settings. Compare these settings to an authorised baseline configuration, and highlight any changes that have been made.


Application Audit

  • Example: Display a list of inappropriate material that has been accessed through the organisational proxy server.
  • Example: List users who have utilised the UNIX 'SUDO' command.


Network

  • Example: Display a geographic map of IP addresses that have been denied access by the organisational Checkpoint Firewall.
  • Example: Report on the top ten hosts that have initiated a port scan against the organisation, as reported by the gateway network intrusion detection system.


Operating Systems

  • Example: Generate a real-time alert when a user outside an authorised list, attempts to access a sensitive file on a Windows file server.
  • Example: Send a daily email to security administrators, if the list of users in the Domain Administrators group changes.


Snare Central

  • Example: Display a report that shows users who have modified the configuration of any Snare Central objectives.


User and Group Snapshots

  • Example: Based on the information provided by the Snare Agent for Solaris, produce a report showing any unauthorised members of the 'sensitivedata' UNIX group.


The reports page offers the ability to:

Search reports and containers by their name
Use Back to Search Results link in the Reports breadcrumbs area to return to your search results.

Filter reports by their configured Criticality level: Critical/High/Medium/Low. 

Sort all reports and containers by name in Ascending or Descending order

Add new container
As of version 8.6.2, a container can be created at any hierarchical level as long as the user has Change permissions to the parent container. 
In earlier versions, a container could only be created at the root level of the Reports, and then had to be dragged and dropped to the desired location.

A new container is a temporary item that only exists for the duration of the session of the current logged in user (ie: two hours by default), and will not be visible to other users of Snare Central. It will not become permanent, or visible to other users, until you add a report to the container.

Add new report

By default, the new report (objective) will be configured with very simple settings. You can then select the report and change the configuration, access controls, or schedule settings based on your requirements.


Drag and drop containers and reports

Rearranging the location of a report, or container, will change the location for all users of Snare - not just your account.

Clone, rename or delete a report by clicking the ellipsis (...) in the report line and selecting 'Clone' from the actions list.

Snare Central does not enforce uniqueness of the report name, you can potentially have two reports with exactly the same name, that have different configurations, access controls, and scheduling. However, in order to limit confusion, it is advisable to give a report unique and descriptive name.

When you choose the Delete option, a dialog will appear, notifying you that the report (objective) will be removed for ALL USERS of Snare Central. You will be asked for confirmation before proceeding.

Selecting the Delete button from the dialog, will remove the report, and associated report configuration settings.

Rename, recursively delete, or export the contents of a container, by clicking the ellipsis (...) in the container line and selecting the appropriate action from the actions list.

If you attempt to remove a container, but you do not have permission to remove some or all of the underlying reports, Snare Central will check each report for authorisation, and only remove those that you are authorised to delete. If any objectives remain after this action has completed, the original container will remain.


Custom reports can be generated using a modular objectives mechanism (also known as 'Dynamic Query objectives').
Reports will generally include the following components:

  • A query builder that allows you to create very complex search criteria, incorporating precedence, logical operations, and advanced matching capabilities.
  • A 'Token' definition system that can pull fields contained within particular consistent patterns, out of an event.
  • A range of potential output modules, such as 15-minute pattern maps, tabular event data, graphs, and so on.
  • The ability to be scheduled to run on a regular defined basis, and the potential to send output via electronic mail to data owners, system administrators, network administrators, and security administrators.
  • Real-time reporting capabilities for events that match the search criteria.

Objective Templates

Snare includes a range of 'templates' (often referred to as an 'Objective Type' in the Snare Central user interface) to make the job of a security administrator easier when crafting a new objective.

These templates are hard-coded in Snare Central, may pre-define custom search criteria for you, will sometimes include custom code to perform tasks, and may be updated and expanded on each release of Snare Central. More information on Objective Templates is available below.