Objectives - An Overview
What is an Objective?
An objective is a generic name for an interactive report, which performs a specific task or implements a set of analysis rules that are intended to derive useful information from event log data that is collected by Snare Central.
In most circumstances, the term 'Objective' refers to the set of clickable items found in the 'Reports' section of Snare Central - these are generally known as 'Modular Objectives'. However, the term 'objective' is also used interchangeably for items in the 'Status', and 'System' sections.
Modular Objectives
The objectives that are found within the 'Reports' section of Snare Central user interface are known as 'Modular Objectives' or 'Dynamic Query Objectives'. A modular objective is highly configurable, and generally includes:
- A query builder that allows you to create very complex search criteria, incorporating precedence, logical operations, and advanced matching capabilities.
- A 'Token' definition system that can pull fields contained within particular consistent patterns, out of a larger string.
- A range of potential output modules, such as 15-minute pattern maps, tabular event data, graphs, and so on.
- The ability to be scheduled to run on a regular, defined basis, and the potential to send output via electronic mail to data owners, system administrators, network administrators, and security administrators.
- Real-time reporting capabilities for events that match the search criteria.
Modular objectives are discussed in more detail below.
System and Status Objectives
The objectives found in the Status area of Snare Central, generally provide overview information on total collection volumes and speeds, and checks associated with the health of the Snare Central server and its associated agents. The System area provides access to objectives that perform general system administrative tasks, or facilitate agent management activities.
What is an Event?
Snare objectives create reports based on events (or logs) that are generated by servers, workstations, applications or appliances. An event in Snare is a significant occurrence that is used to track or benchmark an organisation's performance or security. Events in Snare will generally have the following general properties:
- Date / Time
The date/time information is a critical component of an event that provides chronological context to a series of events that may be related to a security incident, or it may be a direct and significant indicator of a security incident when coupled with other fields.
Example
A user login may be a normal occurrence during the day, however a user logging in at 1am may be considered worthy of further investigation and thus is important to keep track of.
- System
- The source system that generates the event.
- Event Type
- Events are generated by a particular operating system, application, service, or device.
- Some sources will also subdivide events into subtypes, such as "Windows Security", or "Apache Error Log"
- EventID
- Most events will include information on the 'class' of an event. For example, "Login", "TCP Connection", "File Access", or "Virus Detected"
- Result
- Most events will include information on the result/status of an event, for example: Login FAILED, TCP connection DENIED, File access SUCCESS.
- Event-Specific Features
- Other features of an event are highly dependent on the event type / event ID. For example:
- Firewall logs will usually include source IP address, destination IP address, source port, and destination port.
- Web Server or Proxy Server logs will usually include the Universal Resource Locator (URL) for the destination.
- Operating system logs will usually include the username of the user who is responsible for the event.
- Other features of an event are highly dependent on the event type / event ID. For example:
Working with Objectives
Objectives on Snare Central, whether modular or otherwise, generally share three common features - the ability to set access controls, the ability to schedule the objective to run at a later or regular time, and the ability to configure the objective. There are some exceptions; for example, the 'System Status' objective within the 'Status' area, does not offer any configuration options.
Accessing Objectives
The objective navigation component provides a tree-like view of the set of objectives that are available to you. Access controls, set by the Snare Central Administrator, may limit your view of objectives to a subset of those available.
To access an objective, single-left-click on the objective name of the objective you wish to display. The main Snare Central output panel will update with the output from the objective as at its most recent regeneration point.
Configuring Objectives
Once you have accessed an objective, the 'Configuration' button in the top panel can be clicked to modify the settings associated with the objective.
Once clicked, a new dialog will appear. Configuration settings for modular objectives will be covered in more detail later in this document, but configuration dialogs will generally share the following common components:
- A title that tells you which objective you are currently changing.
- A series of form elements that will allow you to change settings associated with the objective.
- A "Set" button, to confirm the actions you have undertaken.
- A "Cancel" button, which will revert the objective configuration back to its previously saved state.
Scheduling an Objective
Objectives can be configured to automatically regenerate on a periodic basis. Click on the 'Schedule' button in the top panel, in order to modify both the regeneration schedule for an objective, and also the users and/or groups who should receive an electronic mail message in the event that the objective produces data.
Objectives can be configured to regenerate:
- Hourly
- Daily
- Weekly
- Monthly
- Quarterly
- Yearly, or
- Once only, at a specified year, month, date and time (5 minute granularity).
In addition, each schedule configuration option has some additional flexibility available; for example, the 'Hourly' setting can be modified so that the objective always regenerates at 40 minutes past the hour. A 'Weekly' objective can be forced to regenerate every Tuesday, at 3:05 PM.
Each objective can have its own email distribution list. It is also possible to specify that emails are only sent out if there is something to report for that objective. Electronic mail can be sent either to all members of a Snare Central group, or individual recipients can be specified.
Regenerating an Objective
In addition to scheduling an objective to be regenerated, a user can interactively submit the currently displayed objective for immediate regeneration by clicking on the Regenerate / Refresh icon. This will add the objective to the regeneration queue, and display the Queue dialog to track progress.
Objective Queue
The Snare Central objective queue dialog can be accessed by the 'Queue' icon in the top panel.
The Queue dialog lists several objectives that are currently highest in the regeneration queue. For those objectives that are actively regenerating, the following information, and options, are presented:
- The objective title, and icon.
- A 'Terminate' button, which will halt regeneration of the objective.
- A progress bar that shows the approximate completion state of the objective.
- Information on:
- When the regeneration process was started.
- The time taken for the previous regeneration of this objective.
- An estimated completion time (absolute, and elapsed).
- Any status updates delivered by the objective.
For objectives that are not yet regenerating, the following information, and options, are presented:
- The objective title, and icon.
- A 'Remove from Queue' button, which will delete the objective from the regeneration queue.
Information on how many objectives are currently in the regeneration queue, but are not displayed in the current dialog, is also available at the bottom of the dialog window.
When the currently displayed objective is either in the regeneration queue, or actively regenerating, a notification will also appear in the top-right-hand corner of the objective panel.
Access Control
Every objective created on Snare Central can be individually secured so that only authorized staff have access to it. Access is granted at group level; therefore, a user must be attached to a group in order to view or change an objective.
One of two levels can be granted:
- Write access. This provides a user with the ability to change the configuration settings for the objective.
- Read access. This provides a user with access to view the output of this objective, and also regenerate the objective.
In addition, users who create, or clone an objective, are identified as the owner of the objective. Both the owner, and Snare Central administrators have the ability to:
- Delete the objective, and
- Add new users to the objective.
How To..
How to change a group's access rights.
- In Select a Snare group, select the group. The information in 'Access Control Settings' will update.
- Select the appropriate access level check box.
- Click the Set button. This makes the new settings to take effect immediately.
In situations where access controls need to be applied to an entire folder of objectives, recursively, the 'Manage Access Controls' objective in the System / Administrative tools folder, will provide this capability.
Objective Documentation
Objective documentation is available at the top of the main objective output panel. By default, the objective will display text that has been either:
- Hard coded in Snare Central, for the particular log source from which the objective derives its data, or
- Encoded with the actual objective, in the case of objectives that have been imported from the InterSect Alliance objective download area.
However, objective documentation can be added to, or modified, by those that have the ability to configure an objective. Double-clicking on the text of the documentation, will bring an editable field, that provides you with basic word-processor style functionality, such as font sizes, colours, and weights.
Clicking on the green 'Tick', will save the current documentation. The red 'cross' will cancel the current edits.