Report Templates

Owned by Svetlana Sheptiy
Last updated: May 15, 2024
29 min read

The following modular objective templates can be used as a basis for your own objectives.

The objective types may be altered via configuring your objective, and selecting 'Change Type' in the top right corner.  This will display a list of Objective Types to select from.

Win Security

  • Oracle Server
    • Oracle Start Stop Log
      • Display Oracle startup and shutdown events.


  • Windows File Objectives
    • Windows Object Permission Changes
      • Monitor permission changes to a file or directory that is considered sensitive. Note that to use this objective, the Snare agents must be configured to report on event 4670.
    • Windows File Access
      • Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses.


  • User Login
    • Type 3 and Type 10 Network logins
      • This objective displays Windows Type 3 host to host network logins and Type 10 RDP network logins.
    • User Interactive Logins and Logoffs
      • This objective is used to monitor interactive account login and logoff events. This includes workstation locked/unlocked events and screen saver invoked/dismissed events.
    • Failed User Logins
      • This objective is used to monitor failed user login actions on Windows servers.
    • User Login
      • This objective is used to monitor user login actions on Windows servers.


  • Administrative Actions
    • Service was installed
      • This objective displays when a service is installed on the system.
    • Audit Log Cleared
      • This objective checks to see if the Windows event logs were cleared. Note that the Snare Agent must be configured to collect these events. The clearing of an event log may indicate that a user is attempting to cover their tracks.
    • Local Account added to Administrators
      • This objective displays Windows local accounts that have been added to the Local Administrators Group.
    • Startup Run Tasks Alert
      • This objective displays when the Run and RunOnce registry keys have been modified.
    • Changes to the Audit Policy
      • Although the Snare for Windows agent is able to configure the hosts audit sub-system, this objective keeps an eye on events which indicate an attempt to change the underlying audit configuration. Changes to the underlying audit subsystem may indicate a user that is attempting to hide their "tracks", or attempting to obscure their (potentially) unauthorized activity.
    • Account Creation and Deletion on Windows and ACF2
      • This objective displays any differences between Windows and ACF2 account creation details. In particular, the objective will display:
        1) Account Creation and Removal for ACF2, that does not have a corresponding create/remove for Windows, and
        2) Display Account Creation and Removal for Windows, that does not have a corresponding create/remove for ACF2.
    • Group Member Changes
      • This objective shows changes to the members of sensitive Windows Groups.
    • Scheduled task was created
      • This objective displays when a new scheduled task has been created.
    • Account Creation and Deletion
      • This objective displays Windows accounts (in specified domains) that have been recently created or deleted.
    • User Modifications
      • This objective shows modifications to specified sensitive Windows users.
    • Group Creation and Deletion
      • This objective displays Windows groups that have been recently created or deleted.
    • Privilege Escalation
      • This objective displays Windows user rights changes to allow monitoring for escalation of user privileges.
    • Group Modifications
      • This objective shows modifications to specified sensitive Windows groups.


  • Process Objectives
    • New Process Created
      • Monitor when new processes are created.
    • Windows Process Access
      • Monitor access to applications that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on process execution.

Win Application

  • Administrative Activity
    • Application Crash
      • This objective is used to monitor crashed applications.
    • NetIQ User Administrative Activity
      • This objective is used to monitor user administrative activity using the NetIQ product.
    • NetIQ Group Administrative Activity
      • This objective is used to monitor group administrative activity using the NetIQ product.
    • EMET Failures
      • This objective is used to monitor error messages from Microsoft's Enhanced Mitigation Experience Toolkit.
    • Windows File Protection
      • The Windows File Protection service monitors critical system files and attempts to prevent unauthorized software from modifying or replacing these files. This objective is used to monitor WFP warning events.
    • NetIQ Administrative Activity
      • This objective is used to monitor administrative activity using the NetIQ product.

Win System

  • Administrative Actions
    • Windows 2008R2 Non-Security Audit Log Cleared
      • This objective checks to see if the Windows Application, System or another non-security event log was cleared. Note that the Snare agent must be configured to collect these events.
    • Audit Log Corrupt
      • Display Windows machines that have reported a corrupt event log, during the reporting period. Corrupt event log reporting is only available in Snare for Windows version 3.0.0 and above.

Linux Audit

  • User Login
    • User Login
      • This objective is used to monitor user login actions on Linux servers.


  • Process Objectives
    • Executing a Process
      • This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to collect process events.


  • File Objectives
    • Accessing a File
      • This objective is used to monitor access to files that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to collect file events.


  • Account Management Objectives
    • Account Management
      • This objective is used to monitor account management actions on Linux Servers. Note that the Linux audit subsystem will only generate events when an account or group, is modified using account management binaries. Situations where a root user manually modifies  the /etc/passwd or /etc/group files, will not be detected by this objective.
    • User Account Management
      • This objective is used to monitor user account management actions on Linux Servers. Note that the Linux audit subsystem will only generate events when an account or group, is modified using account management binaries. Situations where a root user manually  modifies the /etc/passwd or /etc/group files will not be detected by this objective.
    • Group Account Management
      • This objective is used to monitor group account management actions on Linux Servers. Note that the Linux audit subsystem will only generate events when an account or group, is modified using account management binaries. Situations where a root user manually modifies the /etc/passwd or /etc/group files, will not be detected by this objective.

SOCKS Log

  • User Authentication
    • Failed Authentication
      • This objective looks for failed authentication events from a SOCKS server.

MS DNS Server

  • MSDNSServer
    • Microsoft DNS Server Logs. DNS over TCP
      • This objective is used to monitor DNS over TCP suspicious usage.
    • Microsoft DNS Server Logs. DNS Server Failure
      • This objective is used to monitor DNS Server Response Failure.
    • Microsoft DNS Server Logs. DNS Client IP Find
      • This objective is used to retrieve DNS traffic from/to IP.
    • Microsoft DNS Server Logs. NXDOMAIN
      • This objective is used to monitor Non Existent Domains DNS Queries Only.

Universal Log

  • Report Access
    • Reading Reports
      • This objective allows you to search for reports that have been read.


  • Search Analysis
    • Query Term Analysis
      • This objective allows you to monitor the search terms used in Universal Log data, based on a 'Query' event in the 'Message' field.


  • User Login
    • User Login
      • This objective allows you to monitor user logins reported in the Universal Log data.


  • Report Prints
    • Print Reports
      • This objective allows you to search for reports that have been printed.

Solaris BSM

  • File Access
    • Access to Sensitive Files
      • Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses.


  • User Login
    • User Login
      • This objective is used to monitor user login actions on Solaris servers.


  • User Privilege Escalation
    • Access to a target account
      • This objective is used to monitor access to a target account through the /bin/su utility.
    • Failed access to a user account
      • This objective is used to monitor failed access to a target account through the /bin/su utility.


  • Process Objectives
    • Executing a Process
      • This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to
        collect process events.

RACF Log

  • User Login
    • User Logins
      • This objective displays information relating to RACF user logins.


  • Object Access
    • Access to RACF Resources
      • This objective monitors access to RACF resources that are considered to be sensitive. A ReturnCode of 0 implies a failed attempt to access the resource. Use the RESOURCE field to narrow your search criteria.

Configuration Check

  • CISCO Configuration Checker
    • CISCO Pix/Router Configuration Checker
      • Compare the current CISCO Pix or Router configuration to an authorised version. The objective will attempt to connect to the device using the 'telnet' protocol and display the current configuration. The current configuration will also be compared against an authorized 'Master' and changes will be highlighted. Two passwords in the "Configure" section (connect, and enable) are used to retrieve the configuration.

Network Mapper

  • Network Mapping and Vulnerability Scan
    • Network Mapper
      • This objective allows you to scan your network for open services. New systems, or systems with unauthorized ports, will be highlighted for your attention. In addition, an optional network security scan can be conducted against any hosts that are found. The report may be displayed in tabular format, which is useful for the analysis of many hosts on any given network. In both "iconized" and "tabular" formats, an authorized "port list" can be configured on a host-by-host basis. Future scans against the host in question will highlight any changes in port activation or deactivation. The network scanner can be configured to scan both TCP and/or UDP port ranges.

        UDP scanning is very slow and should be used with care. This is because UDP will always have to wait for a timeout to determine if a port is closed. If this timeout is too short, then it will miss valid ports and not correctly report. This objective uses the free Open Source tool, NMAP. NMap is used to determine the open ports on one or more hosts. Further details are available from: http://www.insecure.org/

User/Group Snapshot

  • Account Flags
    • Account Flags
      • This objective displays those users who have settings configured on their account that are considered sensitive or important from a security viewpoint. These attributes are queried on a regular basis by connecting to specified Snare Agents. The updated information will be displayed in these reports, on a scheduled basis, as required by the users of these objectives.


  • Account Expiry
    • Account Expiry
      • This objective displays account expiry settings (in days) by system and/or domain. Please note that this objective requires Snare for Windows version 2.6.2 or later. For accounts retrieved from the Windows Active Directory interface, the objective reports the current  maximum time since any non-expired user has changed their password, which should generally provide an approximation of probable server password expiry settings in most circumstances.


  • Sensitive Groups
    • Sensitive Groups
      • This objective takes snapshots of the applicable group memberships and compares them to a specified list to report on authorized and unauthorized group members. The Snare Central will regularly query the specified server(s) to determine the members of all groups. This is then used by these objectives to determine which users have been authorized to be members of this group, and which are not.

Tru64 Audit

  • User Login
    • User Login
      • This objective is used to monitor user login actions on Tru64 servers.


  • File Access
    • Access to Sensitive Files
      • Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses.


  • User Privilege Escalation
    • User access to a target account
      • This objective is used track access to a target account through the /bin/su utility.

Gauntlet Firewall Log

  • Electronic Mail
    • Electronic Mail events
      • The Gauntlet firewall generates events based on the email addresses that have been sent through the firewall. This objective allows the user to report on email information derived
        from the Gauntlet Firewall logs.

ACF2 Log

  • Account Administration
    • Changes to Accounts
      • This objective displays information relating to ACF2 account modifications. ACF2 logs can be collected from an IBM MVS mainframe, and analysed using the Snare Central. The logs from the ACF2 mainframe are collected via FTP or SCP file transfer into the  /data/SnareCollect/ACF2Log/ directory on the Snare Central.
    • Accounts Created or Deleted
      • This objective displays those ACF2 users on an MVS host which have been created or deleted.
    • Changes to Flags
      • For each CHANGE, DELETE or INSERT, this objective displays the details of the ACF2 changes on an MVS host.


  • Object Access
    • Access to the ACF2 Resources
      • This objective monitors access to MVS resources that are considered to be sensitive. Use the RESOURCE field to narrow your search criteria. A ReturnCode of VIOLATION, or *VIO, indicates a failed attempt to access the resource
    • Access to the INFOSTORE database
      • The Infostore database (ACF60STO) is a sensitive repository of ACF2 information. This objective displays events relating to user access to the INFOSTORE database.


  • User Login Failures
    • User Login Failures
      • This objective displays information relating to ACF2 user login failures.


  • Rule Changes
    • ACF2 Rule Changes
      • This objective displays events relating to changes to Rules. The ability to change ACF2 rules on MVS systems indicates privileged access. This objective is able to monitor anyone that has been modifying these rules. The changing of ACF2 (on those MVS systems that use ACF2) should be carefully monitored to ensure only authorized users are undertaking authorized activity. This objective is able to maintain a view of actions undertaken in this security management activity.

Object Access

  • Object Access
    • Access to Lotus Notes Resources
      • This objective monitors access to Lotus Notes Database Resources. Use the OBJECT field to narrow your search criteria.
    • Access to the ACF2 Resources
      • This objective monitors access to ACF2 Objects that are considered to be sensitive. Use the OBJECT field to narrow your search criteria.

PIX Log

  • Authentication
    • User Authentication events
      • Display user authentication events

SonicWall

  • Packet Logs
    • Dropped Packets
      • Display events that have a category that indicates dropped packets

Apple BSM

  • Process Objectives
    • Executing a Process
      • This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to
        collect process events.


  • User Privilege Escalation
    • Failed access to a user account
      • This objective is used to monitor failed access to a target account through the /bin/su utility.
    • Access to a target account
      • This objective is used to monitor failed access to a target account through the /bin/su utility.


  • User Login
    • User Login
      • This objective is used to monitor user login actions on Apple servers.


  • File Access
    • Access to Sensitive Files
      • Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to report on file accesses

AIX Audit

  • Process Objectives
    • Executing a Process
      • This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to collect process events.


  • User SU
    • User access to the root account
      • This objective is used to monitor access to the root account through the /bin/su utility.


  • User Login
    • User Login
      • This objective is used to monitor user login actions on AIX servers. Note that FTP access is also counted as a 'login', but protocols such as SSH or VNC may not generate a login event. It is important that the 'Configure' section of the objective be used to define from which system(s) the login events are required, so that the user(s) of this objective are not flooded with too many login events. This will especially be the case in agencies that are of a significant size, and are collecting events from numerous AIX hosts.


  • File Access
    • Access to Sensitive Files
      • Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses.

Nortel VPN Router

  • Configuration Changes
    • Configuration Changes
      • This objective will watch for configuration changes to Nortel VPN Routers - such as the creation, destruction, or modification of particular configuration items.


  • Authentication Events
    • Failed Logins
      • This objective will scan for failed attempts to access the VPN device by searching for events that include "Failed Login Attempt" or "failed to log in".
    • Successful Logins
      • This objective will scan for successful logins to the VPN device by searching for events that include "logged in from", "logged into group" or "login by using".

IP Tables Firewall

  • Non-Local Network Connections
    • Dropped Non-Local Network Connections
      • Display dropped packets that do not have a source address of a routable IP block
    • Accepted Non-Local Network Connections
      • Display non-dropped packets that have a source address of a routable IP block


  • Local Network Connections
    • Accepted Local Network Connections
      • Display non-dropped packets that have a source address of a non-routable IP block
    • Dropped Local Network Connections
      • Display dropped packets that have a source address of a non-routable IP block

Browser

  • Browser Objectives
    • Access to Social Media and Related Sites
      • Scan for access to social media and related sites. Please unlock this objective, and modify according to your requirements.
    • Cookie Modifications
      • Display cookie related events from Snare Browser agents.
    • Inappropriate material
      • Display inappropriate material, accessed through a browser.

        INAPPROPRIATE CONTENT MAY BE DISPLAYED WITH THIS RANDOM SAMPLE.

        The images are linked directly to the target site. This means that your UserID will download the images through your proxy server (if enabled), which means you may appear in your own logs.

        Please also note that:
        1) The originating user may not have deliberately accessed the content in question - it may have been a popup caused by a rogue web site, and
        2) The image may no longer exist on the target site, in which case, you will receive a 'no image' placeholder within your web browser.
    • Messages from installed Snare Browser Agents
      • Display configuration change and agent restart messages from Snare Browser agents.

F5 Violations

  • CISCO Configuration Checker
    • Violation Reports


  • Special Alerts
    • Display events tagged as violations, from F5 ASM logs.

Generic Syslog

  • Session Information
    • Monitor Session Growth
      • This objective can be used to monitor session volume notification events from custom applications that report the data to Snare Central. The output component included with this objective will trigger when the number of sessions grows by a predermined amount per  source server. Notification events are assumed to be delivered in 1 minute intervals.


  • User Privilege Escalation
    • User Privilege Escalation through SU and Sudo
      • This objective looks for SU or Sudo log entries in the Generic Syslog log source.

NetScreen Firewall

  • Special Alerts
    • Large ICMP Packet Notifications
      • Display Large ICMP Packet notifications from Netscreen Firewalls.
    • Port Scan Notifications
      • Display port scan notifications from Netscreen Firewalls.
    • IP Spoofing Notifications
      • Display IP spoofing notifications from Netscreen Firewalls.

Oracle

  • Oracle Server
    • Oracle SYSTEM Usage
      • Display activity for users with SYSDBA and SYSOPER privileges.
    • Oracle User Session Audit
      • Display all user Activity for given DBUSER.
    • Oracle Audit Events
      • Display Generic Oracle Activity.
    • Oracle Password Change Audit
      • Display Password Change Events for all users.
    • Oracle Security Audit
      • Display Potentially Dangerous SQL Events.

PAN Firewall

  • Special Alerts
    • Threat Reports
      • Display threat-related events from Palo Alto Network Firewalls.

Irix SAT

  • File Access
    • Access to Sensitive Files
      • Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses.


  • User Login
    • User Login
      • This objective is used to monitor user login actions on Irix servers. Note that FTP access is also counted as a 'login', but protocols such as SSH or VNC may not generate a login event.


  • User SU
    • User access to the root account
      • This objective is used to monitor access to the root account through the /bin/su utility.


  • Process Objectives
    • Executing a Process
      • This objective is used to monitor access to processes or applications that are considered to be sensitive.


  • Administrative Activity
    • Successful Mount or Unmount Activity
      • This objective monitors the mount or unmounting of disk volumes on Irix. This may be useful in those instances where it is required that access to specific volumes (such as floppy disks) be closely monitored.
    • General Administrative Tasks
      • This objective reports on selected Irix audit events which indicate general administrative activity, such as sat_chroot, sat_mount, sat_clock_set, sat_hostname_set, sat_domainname_set, sat_hostid_set, sat_control, sat_bsdipc_snoop_ok, sat_bsdipc_snoop_fail, and sat_ae_audit.

Web Log

  • Proxy Server Objectives
    • Inappropriate material accessed through a proxy server
      • Display inappropriate material, accessed through an organisational proxy server, by searching for a range of defined words, in the URLs that are logged by a proxy server.
        INAPPROPRIATE CONTENT MAY BE DISPLAYED WITH THIS RANDOM SAMPLE.

        The images are linked directly to the target site. This means that your UserID will download the images through your proxy server (if enabled), which means you may appear in your own logs.
        Please also note that:
        1) The originating user may not have deliberately accessed the content in question - it may have been a popup caused by a rogue web site, and
        2) The image may no longer exist on the target site, in which case, you will receive a 'no image' placeholder within your web browser.
    • Proxy Server Logs
      • Query Proxy Server Logs.


  • Web Server Objectives
    • Suspicious URL Access on your web servers
      • Display URLs that are generally associated with cross site scripting attacks.

FortiGate Log

  • Unclassified FortiGate
    • Unclassified FortiGate-Event Sub Type Reports
      • Display unclassified FortiGate Event sub type-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency).
    • Unclassified FortiGate Log Type Reports
      • Display unclassified FortiGate log type-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency).
    • Unclassified FortiGate-Traffic Sub Type Reports
      • Display unclassified FortiGate Traffic sub type-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency).
    • Unclassified FortiGate-UTM Sub Type Reports
      • Display unclassified FortiGate UTM sub type-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency).


  • Attack Reports
    • Alert Attack Reports
      • Display alert attack-related events from FortiGate UTM-Anomaly subtype.
    • Attack Reports
      • Display attacks-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-Anomaly subtype.
    • Critical Attack Reports
      • Display critical attack-related events from FortiGate UTM-Anomaly subtype.
    • Emergency Attack Reports
      • Display emergency attack-related events from FortiGate UTM-Anomaly subtype.
    • Error Attack Reports
      • Display error attack-related events from FortiGate UTM-Anomaly subtype.
    • Warning Attack Reports
      • Display warning attack-related events from FortiGate UTM-Anomaly subtype.


  • Antivirus Reports
    • Antivirus Reports
      • Display virus-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-Antivirus subtype.


  • File Type Reports
    • Executable File Reports
      • Display executable files-related events from FortiGate UTM-Antivirus subtype. Please unlock this objective and modify the filename extension according to your requirements.
    • Website Reports
      • Display website-related events from FortiGate UTM-Antivirus subtype. Please unlock this objective and modify the domain extension according to your requirements.


  • App Ctrl Reports
    • Application Control Reports
      • Display application-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-Application Control subtype.


  • Service Reports
    • Web Service Reports
      • Display web services-related events from FortiGate UTM-Application Control subtype. 


  • CIFS Reports
    • CIFS Reports
      • Display file system-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-CIFS subtype.


  • File Type Reports
    • Image Reports
      • Display image-related events from FortiGate UTM-CIFS subtype.
  • DLP Reports
    • DLP Reports
      • Display data leaks/loss-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-DLP subtype.


  • Data File Reports
    • Image Reports
      • Display file-related events from FortiGate UTM-DLP subtype. Please unlock this objective and modify the filetype according to your requirements.
  • DNS Reports
    • DNS Reports
      • Display DNS-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-DNS subtype.


  • Email Filter Reports
    • DNS Reports
      • Display email filter-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-Email Filter subtype.


  • Error Event Reports
    • Error Event Reports
      • Display error-related events from FortiGate UTM-Email Filter subtype.


  • Connector Reports
    • Connector Reports
      • Display connector-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-Connector subtype.


  • Object Addition Reports
    • Object Addition Reports
      • Display object addition-related events from FortiGate Event-Connector subtype.


  • Endpoint Reports
    • Endpoint Reports
      • Display endpoint-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-Endpoint subtype.


  • Operation Reports
    • Error Operation Reports
      • Display error-related events from FortiGate Event-Endpoint subtype.
    • Successful Add Operation Reports
      • Display successful add-related events from FortiGate Event-Endpoint subtype.
    • Successful Close Operation Reports
      • Display successful close-related events from FortiGate Event-Endpoint subtype.


  • Authorization Reports
    • Authorized Activity Reports
      • Display authorized activity-related events from FortiGate Event-FortiExtender subtype.
    • Unauthorized Activity Reports
      • Display unauthorized activity-related events from FortiGate Event-FortiExtender subtype.


  • Connection Reports
    • Connected Activity Reports
      • Display connected activity-related events from FortiGate Event-FortiExtender subtype.
    • Disconnected Activity Reports
      • Display disconnected activity-related events from FortiGate Event-FortiExtender subtype.


  • FortiExtender Reports
    • Endpoint Reports
      • Display FortiExtender-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-FortiExtender subtype.


  • HA Reports
    • HA Reports
      • Display HA-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-HA subtype.


  • Router Reports
    • Router Reports
      • Display router-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-Router subtype.


  • Health Check Reports
    • Health Check Reports
      • Display health check-related events from FortiGate Event-SDWAN subtype.


  • SDWAN Reports
    • SDWAN Reports
      • Display SDWAN-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-SDWAN subtype.


  • Security Rating Reports
    • Security Rating Reports
      • Display security rating-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-Security Rating subtype.


  • Login Reports
    • Failed Login Reports
      • Display failed login-related events from FortiGate Event-System subtype.
    • Succesful Login Reports
      • Display successful login-related events from FortiGate Event-System subtype.
    • User Login Reports
      • Display login-related events from FortiGate Event-System subtype.


  • System Reports
    • System Reports
      • Display system-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-System subtype.


  • Authentication Reports
    • Failed Authentication Reports
      • Display failed authentication-related events from FortiGate Event-User subtype.
    • Successful Authentication Reports
      • Display successful authentication-related events from FortiGate Event-User subtype.
    • User Authentication Reports
      • Display user authentication-related events from FortiGate Event-User subtype.


  • User Reports
    • User Reports
      • Display user-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-User subtype.


  • Login Reports
    • Failed SSL Login Reports
      • Display failed SSL login-related events from FortiGate Event-VPN subtype.


  • VPN Reports
    • VPN Reports
      • Display VPN-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-VPN subtype.


  • WAD Reports
    • WAD Reports
      • Display WAD-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-WAD subtype.


  • Error Log Reports
    • Failed DNS Service Reports
      • Display non-existing domain-related events from FortiGate Event-Wireless subtype.
    • Failed FT Request Action Reports
      • Display invalid FT request action-related events from FortiGate Event-Wireless subtype.
    • Failed FT Authentication Action Reports
      • Display invalid FT request authentication-related events from FortiGate Event-Wireless subtype.


  • Wireless Reports
    • Wireless Reports
      • Display wireless-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-Wireless subtype.


  • File Reports
    • Blocked File Reports
      • Display blocked file-related events from FortiGate UTM-File Filter subtype.


  • File Filter Reports
    • File FilterReports
      • Display file filter-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-File Filter subtype.


  • Service Reports
    • Denied Service Reports
      • Display related events with DENY_CAUSE from FortiGate UTM-GTP subtype.


  • GTP Reports
    • GTP Reports
      • Display GTP-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-GTP subtype.


  • Access Reports
    • Blocked Access Reports
      • Display blocked-related events from FortiGate UTM-ICAP subtype.


  • ICAP  Reports
    • ICAP Reports
      • Display internet content-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-ICAP subtype.


  • IPS Reports
    • IPS Reports
      • Display IPS-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-IPS subtype.


  • Content Reports
    • Malicious Content Reports
      • Display malicious content-related events from FortiGate UTM-IPS subtype.


  • SSH Reports
    • SSH Reports
      • Display SSH-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-SSH subtype.


  • SSL Reports
    • SSL Reports
      • Display SSL-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-SSL subtype.


  • Traffic Reports
    • Closed Service Reports
      • Display closed service-related events from FortiGate Traffic log type.
    • Connection Error Reports
      • Display connection error-related events from FortiGate Traffic log type.
    • Denied HTTP Service Reports
      • Display denied HTTP service-related events from FortiGate Traffic log type.
    • Denied Service Reports
      • Display denied service-related events from FortiGate Traffic log type.


  • Forward Traffic Reports
    • Forward Traffic Reports
      • Display forward traffic-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGateTraffic-Forward subtype.


  • Local Traffic Reports
    • Local Traffic Reports
      • Display local traffic-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGateTraffic-Local subtype.


  • Multicast Traffic Reports
    • Multicast Traffic Reports
      • Display multicast traffic-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGateTraffic-Multicast subtype.


  • Sniffer Traffic Reports
    • Sniffer Traffic Reports
      • Display sniffer traffic-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGateTraffic-Sniffer subtype.


  • VoIP Reports
    • VoIP Reports
      • Display VoIP-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-VoIP subtype.


  • WAF Reports
    • WAF Reports
      • Display web app-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-WAF subtype.


  • Header Change Reports
    • HTTP Header Change Reports
      • Display http header change-related events from FortiGate UTM-Web Filter subtype.


  • Web Filter Reports
    • Web Filter Reports
      • Display web-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-Web Filter subtype.

Cisco FTD Log

  • Security Event
    • Connection Event Reports
      • Connection Event Reports
        • Display connection start and end events.
    • Intrusion Attack Reports
      • Intrusion Attack Reports
        • Display intrusion attack events from Cisco FTD devices.
      • Intrusion Attack with High Priority Reports
        • Display intrusion attack events from Cisco FTD devices with high priority.
      • Intrusion Attack with Medium Priority Reports
        • Display intrusion attack events from Cisco FTD devices with medium priority.
      • Intrusion Attack with Low Priority Reports
        • Display intrusion attack events from Cisco FTD devices with low priority.
    • File Operation Reports
      • File Operations Reports
        • Display all file related operations.
      • Regular Files Reports
        • Display all file operations that contains non-threat files.
      • Malware Files Reports
        • Display all file operations that were classified as malware files.
      • File Failure Reports
        • Display all file operations with fail results.
  • IPS - Intrusion Protection System
    • Shun Reports
      • Shun Addition Reports
        • Display all Shun addition operation for Cisco FTD.
      • Shun Deletion Reports
        • Display all Shun deletion operation for Cisco FTD.
      • Shun Fail Reports
        • Display all Shun failures for Cisco FTD devices.
  • IDS - Intrusion Detection System
    • Attack Reports
      • Host Attack Reports
        • Display attacks from hosts reports.
      • Devices Under Attack Reports
        • Display report of Cisco FTD devices under attack.
    • Shun Reports
      • Shun Addition Reports
        • Display all added host to shun list.
      • Shun Deletion Reports
        • Display all removed host from shun list.
  • Application Firewall
    • Connection Status Reports
      • Dropped Connections
        • Display all dropped connections.
      • Reset Connections
        • Display all reset connections.
  • Transparent Firewall
    • Interface Updates Reports
      • Interface Updates
        • Display all successful interface updates by FTD.
    • Failure Reports 
      • Locating Failures
        • Display all failures related to interface location attempts by FTD.
      • Routing Failures
        • Display all failures related to routing attempts by FTD.
  • User Authentication
    • CoA Reports
      • CoA Reports
        • Display all user authentication logs related to CoA - Change of Authorization.
    • Problematic Reports
      • Critical Reports
        • Display all user authentication logs with critical level severity.
      • Error Reports
        • Display all user authentication logs with error level severity and logs that has error messages.
      • Authentication Failure Reports
        • Display all user authentication logs that contains login failures or authentication failures.
  • Access List
    • Problematic Reports
      • Critical Reports
        • Display all access lists logs with critical level severity.
      • Alert Reports
        • Display all access lists logs with alert level severity.
      • Error Reports
        • Display all access lists with error level severity.
      • Deny Reports
        • Display all access lists logs that contains Deny operations and actions.
  • PKI Certification Authority
    • Problematic Reports
      • Critical Reports
        • Display all PKI certification authority logs with critical level severity.
      • Alert Reports
        • Display all PKI certification authority logs with alert level severity.
      • Error Reports
        • Display all PKI certification authority logs with error level severity and logs that has error messages
      • Fail Reports
        • Display all PKI certification authority logs that contains Fail operations.
  • VPN Client
    • Problematic Reports
      • Error Reports
        • Display all VPN client with error level severity.
      • Fail Reports
        • Display all VPN client logs that contains Fail operations.
  • VPN Failover
    • VPN Unit Reports
      • Primary VPN Unit Reports
        • Display all VPN Failover logs related to Primary units.
      • Secondary VPN Unit Reports
        • Display all VPN Failover logs related to Secondary units.
    • Problematic Reports
      • Fail Reports
        • Display all VPN Failover logs that contains Fail operations.
  • WebVPN Failover
    • Operation Reports
      • WebVPN Session Reports
        • Display all WebVPN Failover logs related to WebVPN sessions.
      • HA Event Reports
        • Display all WebVPN Failover logs related to HA/High Availability events.
      • Access List Reports
        • Display all WebVPN Failover logs related to WebVPN specific access list operations.
    • Problematic Reports
      • Fail Reports
        • Display all WebVPN Failover logs that contains Fail operations.
  • SNMP
    • Problematic Reports
      • Error Reports
        • Display all SNMP logs with error level severity and logs that has error codes and messages
      • Dropped Request Reports
        • Display all SNMP logs with related to dropped or discarded request/s
      • Config Error Reports
        • Display all SNMP logs with related to config errors
  • Command Interface
    • Problematic Reports
      • Alert Reports
        • Display all Command Interface logs with a severity level of Alert.
      • Critical Reports
        • Display all Command Interface logs with a severity level of Critical.
      • Error Reports
        • Display all Command Interface logs with a severity level of Error.
  • EIGRP Routing
    • Problematic Reports
      • Error Reports
        • Display all EIGRP Routing logs with error level severity or contains error messages.
  • FailOver
    • Command Reports
      • Command Related Reports
        • Display all Failover logs where a command string was executed.
    • Problematic Reports
      • Alert Reports
        • Display all Failover logs with a severity level of Alert.
      • Critical Reports
        • Display all Failover logs with a severity level of Critical.
      • Error Reports
        • Display all Failover logs with a severity level of Error, or that contain an error message.
    • Unit Mode Reports
      • Primary Unit Reports
        • Display all Failover logs related to Primary units.
      • Secondary Unit Reports
        • Display all Failover logs related to Secondary units.
  • IKE and IPSec
    • Problematic Reports
      • Error Reports
        • Display all IKE and IPSec logs with a severity level of Error, or that contain an error message.
    • Sub-classification Reports
      • Crypto Reports
        • Display all IKE and IPSec logs related to CRYPTO operations.
      • IKE Reports
        • Display all IKE and IPSec logs related to IKE operations.
      • IPSec Reports
        • Display all IKE and IPSec logs related to IPSEC operations.
      • Mode Configuration Reports
        • Display all IKE and IPSec logs related to MODE_CFG operations.
    • User Reports
      • User Reports
        • Display all IKE and IPSec logs that contain USER details.
  • IP Stack
    • Problematic Reports
      • Critical Reports
        • Display all IP Stack logs with a severity level of Critical.
      • Error Reports
        • Display all IP Stack logs with a severity level of Error, or that contain an error message.
    • Routing Related Reports
      • Newly Added Route Reports
        • Display all IP Stack logs for newly added network routes.
      • Updated Route Reports
        • Display all IP Stack logs for updated network routes.
  • OSPF Routing
    • Problematic Reports
      • Error Reports
        • Display all OSPF Routing logs with error level severity or contains error messages.
    • LSA Related Reports
      • Newly Added Route Reports
        • Display all OSPF Routing logs related to AS-External LSA type.
      • Updated Route Reports
        • Display all OSPF Routing logs related to Network LSA type.
      • Router LSA Reports
        • Display all OSPF Routing logs related to Router LSA type.
      • Invalid LSA Reports
        • Display all OSPF Routing logs related to invalid LSA.
  • Password Encryption
    • Operation Reports
      • Password Decryption Reports
        • Display all Password Encryption logs relating to password decryption.
      • Password Encryption Reports
        • Display all Password Encryption logs relating to password encryption.
  • SSL Stack
    • Problematic Reports
      • Error Reports
        • Display all SSL Stack logs with a severity level of Error, or that contain an error message.
    • Peer Classification Reports
      • Client Peer Type Reports
        • Display all SSL Stack logs where peer role is client.
      • Server Peer Type Reports
        • Display all SSL Stack logs where peer role is server.
  • SSL VPN Client
    • Problematic Reports
      • Error Reports
        • Display all SSL VPN Client logs with error level severity or contains error messages.
    • User Reports
      • User Reports
        • Display all SSL VPN Client logs having user related details.
  • VPN Load Balancing
    • Message Processing Reports
      • Message Processing Reports 
        • Display all Cisco FTD VPN Load Balancing logs that contains send or received message on it.
    • Problematic Reports
      • Error Reports
        • Display all Cisco FTD VPN Load Balancing logs that contains error message on it.
  • WebVPN and AnyConnect Client
    • Problematic Reports
      • Alert Reports
        • Display all WebVPN and AnyConnect client logs with alert level severity.
      • Critical Reports
        • Display all WebVPN and AnyConnect client logs with critical level severity.
      • Error Reports
        • Display all WebVPN and AnyConnect client logs with error level severity or contains error messages.
    • User Reports
      • User Action Reports
        • Display all WebVPN and AnyConnect client logs having user related details and action.
      • User Reports
        • Display all WebVPN and AnyConnect client logs having user related details.

MS Win Event Log v2

  • Win Application Ad-Hoc Query
    • A generic Windows Application (Snare v2) Objective
      • Query Windows Application logs (Snare v2) for events of interest
  • WinApplication - Administrative Activity
    • Application Crash
      • This objective is used to monitor crashed applications.
    • EMET Failures

      • This objective is used to monitor error messages from Microsoft's Enhanced Mitigation Experience Toolkit.

    • NetIQ Administrative Activity
      • This objective is used to monitor administrative activity using the NetIQ product.
    • NetIQ Group Administrative Activity
      • This objective is used to monitor group administrative activity using the NetIQ product.
    • NetIQ User Administrative Activity
      • This objective is used to monitor user administrative activity using the NetIQ product.
    • Windows File Protection
      • The Windows File Protection service monitors critical system files and attempts to prevent unauthorized software from modifying or replacing these files. This objective is used to monitor WFP warning events.
  • WinApplication - Oracle Server
    • Oracle SYSTEM Usage
      • Display activity for users with SYSDBA and SYSOPER privileges.
    • Oracle Password Change Audit
      • Display Password Change Events for all users.
    • Oracle Security Audit
      • Display Potentially Dangerous SQL Events.
    • Oracle Audit Events
      • Display Generic Oracle Activity.
    • Oracle User Session Audit
      • Display all user Activity for given DBUSER.
  • WinEvent Ad-Hoc Query
    • A generic Windows Event Log (Snare v2) Objective
      • Query Windows Event logs (Snare v2) for events of interest other than WinApplication, WinSecurity and WinSystem
  • WinSecurity Ad-Hoc Query
    • A generic Windows Security (Snare v2) Objective
      • Query Windows Security logs (Snare v2) for events of interest
  • WinSecurity - Administrative Actions
    • Account Creation and Deletion
      • This objective displays Windows accounts (in specified domains) that have been recently created or deleted.
    • Group Creation and Deletion
      • This objective displays Windows groups that have been recently created or deleted.
    • Group Modifications
      • This objective shows modifications to specified sensitive Windows groups.
    • Group Member Changes
      • This objective shows changes to the members of sensitive Windows Groups.
    • Local Account added to Administrators
      • This objective displays Windows local accounts that have been added to the Local Administrators Group.
    • Audit Log Cleared
      • This objective checks to see if the Windows event logs were cleared. Note that the Snare agent must be configured to collect these events.
    • Changes to the Audit Policy
      • Although the Snare for Windows agent is able to configure the hosts audit sub-system, this objective keeps an eye on events which indicate an attempt to change the underlying audit configuration.
    • Privilege Escalation
      • This objective displays Windows user rights changes to allow monitoring for escalation of user privileges.
    • Scheduled task was created
      • This objective displays when a new scheduled task has been created.
    • Service was installed
      • This objective displays when a service is installed on the system.
    • Startup Run Tasks Alert
      • This objective displays when the Run and RunOnce registry keys have been modified.
    • User Modifications
      • This objective shows modifications to specified sensitive Windows users.
    • Account Creation and Deletion on Windows and ACF2
      • This objective displays any differences between Windows and ACF2 account creation details
  • WinSecurity - User Login
    • Failed User Logins
      • This objective is used to monitor failed user login actions on Windows servers.
    • User Interactive Logins and Logoffs
      • This objective is used to monitor interactive account login and logoff events. This includes workstation locked/unlocked events and screen saver invoked/dismissed events.
    • Type 3 and Type 10 Network logins
      • This objective displays Windows Type 3 host to host network logins and Type 10 RDP network logins.
    • User Login
      • This objective is used to monitor user login actions on Windows servers.
  • WinSecurity - Windows File Objectives
    • Windows File Access
      • Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to report on file accesses.
    • Windows Object Permission Changes
      • Monitor permission changes to a file or directory that is considered sensitive. Note that to use this objective, the Snare agents must be configured to report on event 4670.
  • WinSecurity - Process Objectives
    • New Process Created
      • Monitor when new processes are created.
    • Windows Process Access
      • Monitor access to applications that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to report on process execution.
  • WinSecurity - Oracle Server
    • Oracle Start Stop Log
      • Display Oracle startup and shutdown events.
  • WinSystem Ad-Hoc Query
    • A generic Windows System (Snare v2) Objective
      • Query Windows System logs (Snare v2) for events of interest
  • WinSystem - Administrative Actions
    • Windows 2008R2 Non-Security Audit Log Cleared
      • This objective checks to see if the Windows Application, System or another non-security event log was cleared. Note that the Snare agent must be configured to collect these events.
    • Audit Log Corrupt
      • Display Windows machines that have reported a corrupt event log, during the reporting period. Corrupt event log reporting is only available in Snare for Windows version 3.0.0 and above.
    • Protection Disabled
      • This objective is used to monitor the disabling of virus protection mechanisms.

Apple BSM v2

  • User Privilege Escalation
    • Failed access to a user account
      • This objective is used to monitor failed access to a target account through the /bin/su utility.
    • Failed Sudo Access
      • This objective is used to monitor failed sudo activities/operations.
    • Sudo Usage
      • This objective is used to monitor successful sudo activities/operations.
    • Access to a target account
      • This objective is used to monitor access to a target account through the /bin/su utility.
  • User Login
    • Failed User Login
      • This objective is used to monitor failed user login actions on Apple servers.
    • User Login
      • This objective is used to monitor user login actions on Apple servers.
  • Process Objectives
    • Executing a Process
      • This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to collect process events.
  • File Access
    • Access to Sensitive Files
      • Monitor access to files and directories that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to report on file accesses.

MS SQL Log v2

  • Admin Usage
    • Admin DBA User
      • This objective is used to monitor Administrator/SA user operations.
  • Cardholder Data
    • Search for Cardholder Data
      • This objective is used to monitor cardholder data queries.
  • Table Operations
    • Truncate Usage
      • This objective is used to monitor truncate table operations.

MS SQL Log

  • Cardholder Data
    • Search for Cardholder Data
      • This objective is used to monitor cardholder data queries.

Office 365 Log

  • Audit Log
    • Ad-Hoc Query
      • A generic Office 365 Audit Log Objective
        • Query all generic Office365 event logs
    • User Related Operations
      • Admin Operation Reports
        • Display all Office365 events related to Admin user.
      • Application Operation Reports
        • Display all Office365 events related to an Application.
      • Regular User Operation Reports
        • Display all Office365 events related to Regular users.
      • System Operation Reports
        • Display all Office365 events related to a System account.
    • Problematic Reports
      • Fail Operation Reports
        • Display all Office365 events with failure results.
    • Successful Operations
      • Successful Operation Reports
        • Display all Office365 events with successful results.
  • Azure Active Directory
    • Ad-Hoc Query
      • Query all Office365 Azure Active Directory event logs
    • Event classification
      • Account Logon Events
        • Display all Office365 Azure Active Directory - Account Logon events.
      • Application Audit Event
        • Display all Office365 Azure Active Directory - Application Audit events.
    • User Administration Activities
      • Newly Added User Account Reports
        • Display all Office365 Azure Active Directory events related to newly created user account.
      • Deleted User Account Reports
        • Display all Office365 Azure Active Directory events related to deleted user account.
      • Updated User Account Reports
        • Display all Office365 Azure Active Directory events related to updated user account.
    • Result based classification
      • Fail Operation Reports
        • Display all Office365 Azure Active Directory events with failure results.
      • Successful Operation Reports
        • Display all Office365 Azure Active Directory events with successful results.
  • Azure Active Directory Sts Logon
    • Ad-Hoc Query
      • Query all Office365 Azure Active Directory STS Logon event logs
    • Login classification
      • User Login
        • Display all Office365 Azure Active Directory STS Logon events related to user login. 
      • Login Failures
        • Display all Office365 Azure Active Directory STS Logon events related to user login failures.
  • Exchange Admin
    • Ad-Hoc Query
      • Query all Office365 Exchange Admin event logs
    • Mailbox Configurations
      • Set Mailbox OWA Policy Reports
        • Display all Office365 Exchange Admin associated to mailbox OWA policy settings.
      • Set Mailbox Permission Reports
        • Display all Office365 Exchange Admin associated to mailbox permission settings.
      • Set Mailbox Reports
        • Display all Office365 Exchange Admin associated to mailbox configurations.
  • Exchange Item
    • Ad-Hoc Query
      • Query all Office365 Exchange Item event logs
    • Mailbox Access
      • Externally Accessed Mailbox Items
        • Display all Office365 Exchange Items that was accessed externally. Where logon user domain is different from the mailbox owner domain
  • Exchange Item Aggregated
    • Ad-Hoc Query
      • Query all Office365 Exchange mailbox advance auditing logs
    • MailItemsAccessed Classification
      • Bind events
        • Display all Office365 Exchange mailbox advance auditing logs related to message access recording.
      • Sync events
        • Display all Office365 Exchange mailbox advance auditing logs related to message synchronization.
  • Exchange Item Group
    • Ad-Hoc Query
      • Query all Office365 Exchange Item Group event logs
    • Mailbox Actions
      • Deleted Mailbox Items
        • Display all Office365 Exchange Items associated to delete operation.
  • Share Point
    • Ad-Hoc Query
      • Query other events in SharePoint Online and OneDrive for Business
    • Web, Site and Pages Activities
      • Page Activities
        • Display all page activities in Office365 SharePoint Online.
      • Site Activities
        • Display all site activities in Office365 SharePoint Online.
  • Share Point File Operation
    • Ad-Hoc Query
      • Query all files and folder activities by users in SharePoint Online and OneDrive for Business
    • Files and Folders Operations
      • Accessed Files
        • Display all Office365 SharePoint events related to accessed file.
      • Deleted Files and Folders
        • Display all Office365 SharePoint events related to deleted files and folders.
      • Uploaded Files and Folders
        • Display all Office365 SharePoint events related to uploaded files and folders.
  • Share Point List Operation
    • Ad-Hoc Query
      • Query all activities related to users interaction with lists and list items in SharePoint Online
    • Lists and List Items Operations
      • Created Lists and List Items
        • Display all Office365 SharePoint events related to created lists and list items.
      • Deleted List and List Items
        • Display all Office365 SharePoint events related to deleted list and list items.
    • List Items Classifications
      • DocumentLibrary List Items
        • Display all Office365 SharePoint events related to DocumentLibrary type of list and list items.
      • Generic List Items
        • Display all Office365 SharePoint events related to generic type of list and list items.

AWS Log

  • Cloud Trail
    • Console Sign In
      • Console Login
        • Monitor or display all AWS console login actions.
      • Failed Console Login
        • Monitor or display failed AWS console login actions.
      • Successful Console Login
        • Monitor or display successful AWS console login actions.
  • VPC Flow Log
    • Action
      • Accept Traffic
        • Monitor or display AWS VPC flow log ACCEPT actions that is associated with the traffic.
      • Reject Traffic
        • Monitor or display AWS VPC flow log REJECT actions that is associated with the traffic.
  • WAF
    • WAF Action
      • WAF Allow Web Request
        • Monitor or display AWS WAF Allow web request actions.
      • WAF Block Web Request
        • Monitor or display AWS WAF Block web request actions.
      • WAF CAPTCHA Web Request
        • Monitor or display AWS WAF CAPTCHA web request actions.
      • WAF Challenge Web Request
        • Monitor or display AWS WAF Challenge web request actions.
      • WAF Count Web Request
        • Monitor or display AWS WAF Count web request actions.


Azure Log

  • Signin Logs

    • Ad-Hoc Query

      • Query all event logs related to Azure sign in activities.

    • SignIn classification - User type

      • SignIn Activities from External users

        • Display all Azure sign in activities made by External users.

      • SignIn Activities from Guests

        • Display all Azure sign in activities made by Guest users.

    • SignIn classification - Authentication type

      • SignIn Activities with MultiFactor Authentication

        • Display all Azure sign in activities that uses MultiFactor Authentication.

      • SignIn Activities with SingleFactorAuthentication

        • Display all Azure sign in activities that uses SingleFactorAuthentication.

    • SignIn classification - Result type

      • SignIn Failures

        • Display all unsuccessful Azure sign in activities.

      • Successful SignIn Activities

        • Display all successful Azure sign in activities.

  • Audit Logs

    • Ad-Hoc Query

      • Query all event logs related to actions performed in Azure portal.

    • Audit Log classification - Per Category

      • Application Management Operations

        • Display all Azure operations related to application management.

      • Authorization Related Operations

        • Display all Azure operations related to authorization.

      • Group Management Related Operations

        • Display all Azure operations related to group management.

      • Policy Related Operations

        • Display all Azure operations related to policy and policy management.

      • User Management Related Operations

        • Display all Azure operations related to user management.

    • Audit Log classification - Result type

      • Successful Operations

        • Display all successful operations performed at Azure Active Directory.

      • Unsuccessful Operations

        • Display all unsuccessful operations performed at Azure Active Directory.

  • Activity

    • Ad-Hoc Query

      • Query all management plane logs related to Azure resources.

    • Azure activity log classification - Per Category

      • Administrative Related Activities

        • Display all Azure resource activities related administrative work.

      • Policy Related Activities

        • Display all Azure resource activities related to policy.

      • Security Related Activities

        • Display all Azure resource activities related to security.

    • Azure activity log classification - Severity Level

      • Critical Activities

        • Display all activities related to Azure resources, indicating a problem and demands immediate attention of a system administrator

      • Error Related Activities

        • Display all activities related to Azure resources, indicating a problem, but do not require immediate attention.

      • Warning Related Activities

        • Display all activities related to Azure resources, indicating potential problems, although not an actual error.

    • Azure activity log classification - Per Resource Provider

      • Network Related Activities

        • Display all Azure activities related to Network resources.

    • Azure activity log classification - Per Status

      • Successful Activities

        • Display all successful activities related to Azure resources.

      • Unsuccessful Activities

        • Display all unsuccessful activities related to Azure resources.

  • Network Security Group Event

    • Ad-Hoc Query
      • Query all azure resource logs related to Azure NSG Event.
    • Azure NSG event log classification - Per Direction
      • Incoming Event Logs
        • Display all incoming Azure NSG event logs.
      • Outgoing Event Logs
        • Display all outgoing Azure NSG event logs.
    • Azure NSG event log classification - Per Rule type
      • Event Logs for Default Rules
        • Display all Azure NSG event logs generated for default rules.
      • Event Logs for User-define Rules
        • Display all Azure NSG event logs generated for user-define rules.

  • Network Security Group Rule Counter

    • Ad-Hoc Query
      • Query all azure resource logs related to Azure NSG Rule Counter.
    • Azure NSG rule counter log classification - Per Direction
      • Incoming Rule Counter Logs
        • Display all incoming Azure NSG rule counter logs.
      • Outgoing Rule Counter Logs
        • Display all outgoing Azure NSG rule counter logs.
    • Azure NSG rule counter log classification - Per Rule type
      • Rule Counter Logs for Default Rules
        • Display all Azure NSG rule counter logs generated for default rules.
      • Rule Counter Logs for User-define Rules
        • Display all Azure NSG rule counter logs generated for user-define rules.
  • Application Gateway Access Log
    • Ad-Hoc Query
      • Query all azure resource logs related to Application Gateway Access.
    • Access log classification - Per Request type
      • Get Requests
        • Display all GET requests.
      • Post Requests
        • Display all POST requests.
    • Access log classification - Per Request result
      • Successful Requests
        • Display all successful requests.
      • Unsuccessful Requests
        • Display all unsuccessful requests.
  • Application Gateway Firewall Log
    • Ad-Hoc Query
      • Query all azure resource logs related to Application Gateway Firewall.
    • Firewall log classification - Per Action type
      • Allowed Requests
        • Display all requests allowed by WAF set on the Azure Application Gateway.
      • Blocked Requests
        • Display all requests blocked by WAF set on the Azure Application Gateway.
      • Matched Requests
        • Display all requests that matched the WAF rules set on Azure Application Gateway.
    • Firewall log classification - Per Policy scope
      • Requests Related to Global Policy
        • Display all requests that were captured by the WAF rules under global policy set on the Azure Application Gateway.
      • Requests Related to Listener Policy
        • Display all requests that were captured by the WAF rules under listener policy set on the Azure Application Gateway.
    • Firewall log classification - Per RuleSet type
      • Matched Custom Rule Requests
        • Display all requests that were captured by the WAF custom rules set on the Azure Application Gateway.
      • Matched Pre-defined Rule Requests
        • Display all requests that were captured by the WAF pre-defined rules set on the Azure Application Gateway.
  • Application Gateway Performance Log
    • Ad-Hoc Query
      • Query all azure resource logs related to Application Gateway Performance.
    • Performance log classification - Host Status counter
      • Unhealthy Hosts Indicator
        • Display all Application Gateway performance logs indicating the number of unhealthy hosts.
  • Firewall Application Rule
    • Ad-Hoc Query
      • Query all azure resource logs related to the events captured by the Azure Firewall Application rule policies in legacy format.
  • Firewall DNS Proxy
    • Ad-Hoc Query
      • Query all azure resource logs related to the DNS Proxy events in legacy format under Azure Firewall.
  • Firewall Network Rule
    • Ad-Hoc Query
      • Query all azure resource logs related to the events captured by the Azure Firewall Network rule policies in legacy format.
    • Log classification - Per Operation name
      • DNAT Rule Events
        • Display all DNAT rule policies related events in legacy format.
      • Network Rule Events
        • Display all Network rule policies related events in legacy format.
  • AZFW Application Rule
    • Ad-Hoc Query
      • Query all azure resource logs related to the events captured by the Azure Firewall Application rule policies.
  • AZFW Dns Query
    • Ad-Hoc Query
      • Query all azure resource logs related to the DNS Proxy events under Azure Firewall.
  • AZFW Nat Rule
    • Ad-Hoc Query
      • Query all azure resource logs related to the events captured by the Azure Firewall DNAT rule policies.
  • AZFW Network Rule
    • Ad-Hoc Query
      • Query all azure resource logs related to the events captured by the Azure Firewall Network rule policies.


Oracle Cloud Log

  • Audit Logs
    • Single Sign-On
      • Single Sign-On/ Password events captured by Audit logging
    • Application Access Events
      • Application Access events captured by Audit logging
    • Multifactor Authentication
      • Step up authentication and bypass code-related events captured by Audit logging
    • Self-Registration
      • User Self-Registration events captured by Audit logging
    • Self-Service Access Request
      • Access Request events  captured by Audit logging
    • Notifications
      • Notification Delivery events captured by Audit logging
    • Identity Bridge Sync
      • ID Bridge Sync status events captured by Audit logging
    • Forgot/Reset Password
      • Password Reset events captured by Audit logging
    • Reset Password Initiated by Administrator
      • Password Reset initiated by Admin events captured by Audit logging
    • Change Password
      • Password Change events captured by Audit logging
    • User CRUD Operations
      • User Create, Activate, Update, and Delete events captured by Audit logging
    • Group CRUD Operations
      • Group Create, Update, Delete and Membership Assignment events captured by Audit logging