Report Templates
- Svetlana Sheptiy
- Augustus Rodrigo Manuzon
- Marlon Morales
- Richard Siman
Owned by Svetlana Sheptiy
The following modular objective templates can be used as a basis for your own objectives.
The objective types may be altered via configuring your objective, and selecting 'Change Type' in the top right corner. This will display a list of Objective Types to select from.
Win Security
- Oracle Server
- Oracle Start Stop Log
- Display Oracle startup and shutdown events.
- Oracle Start Stop Log
- Windows File Objectives
- Windows Object Permission Changes
- Monitor permission changes to a file or directory that is considered sensitive. Note that to use this objective, the Snare agents must be configured to report on event 4670.
- Windows File Access
- Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses.
- Windows Object Permission Changes
- User Login
- Type 3 and Type 10 Network logins
- This objective displays Windows Type 3 host to host network logins and Type 10 RDP network logins.
- User Interactive Logins and Logoffs
- This objective is used to monitor interactive account login and logoff events. This includes workstation locked/unlocked events and screen saver invoked/dismissed events.
- Failed User Logins
- This objective is used to monitor failed user login actions on Windows servers.
- User Login
- This objective is used to monitor user login actions on Windows servers.
- Type 3 and Type 10 Network logins
- Administrative Actions
- Service was installed
- This objective displays when a service is installed on the system.
- Audit Log Cleared
- This objective checks to see if the Windows event logs were cleared. Note that the Snare Agent must be configured to collect these events. The clearing of an event log may indicate that a user is attempting to cover their tracks.
- Local Account added to Administrators
- This objective displays Windows local accounts that have been added to the Local Administrators Group.
- Startup Run Tasks Alert
- This objective displays when the Run and RunOnce registry keys have been modified.
- Changes to the Audit Policy
- Although the Snare for Windows agent is able to configure the hosts audit sub-system, this objective keeps an eye on events which indicate an attempt to change the underlying audit configuration. Changes to the underlying audit subsystem may indicate a user that is attempting to hide their "tracks", or attempting to obscure their (potentially) unauthorized activity.
- Account Creation and Deletion on Windows and ACF2
- This objective displays any differences between Windows and ACF2 account creation details. In particular, the objective will display:
1) Account Creation and Removal for ACF2, that does not have a corresponding create/remove for Windows, and
2) Display Account Creation and Removal for Windows, that does not have a corresponding create/remove for ACF2.
- This objective displays any differences between Windows and ACF2 account creation details. In particular, the objective will display:
- Group Member Changes
- This objective shows changes to the members of sensitive Windows Groups.
- Scheduled task was created
- This objective displays when a new scheduled task has been created.
- Account Creation and Deletion
- This objective displays Windows accounts (in specified domains) that have been recently created or deleted.
- User Modifications
- This objective shows modifications to specified sensitive Windows users.
- Group Creation and Deletion
- This objective displays Windows groups that have been recently created or deleted.
- Privilege Escalation
- This objective displays Windows user rights changes to allow monitoring for escalation of user privileges.
- Group Modifications
- This objective shows modifications to specified sensitive Windows groups.
- Service was installed
- Process Objectives
- New Process Created
- Monitor when new processes are created.
- Windows Process Access
- Monitor access to applications that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on process execution.
- New Process Created
Win Application
- Administrative Activity
- Application Crash
- This objective is used to monitor crashed applications.
- NetIQ User Administrative Activity
- This objective is used to monitor user administrative activity using the NetIQ product.
- NetIQ Group Administrative Activity
- This objective is used to monitor group administrative activity using the NetIQ product.
- EMET Failures
- This objective is used to monitor error messages from Microsoft's Enhanced Mitigation Experience Toolkit.
- Windows File Protection
- The Windows File Protection service monitors critical system files and attempts to prevent unauthorized software from modifying or replacing these files. This objective is used to monitor WFP warning events.
- NetIQ Administrative Activity
- This objective is used to monitor administrative activity using the NetIQ product.
- Application Crash
Win System
- Administrative Actions
- Windows 2008R2 Non-Security Audit Log Cleared
- This objective checks to see if the Windows Application, System or another non-security event log was cleared. Note that the Snare agent must be configured to collect these events.
- Audit Log Corrupt
- Display Windows machines that have reported a corrupt event log, during the reporting period. Corrupt event log reporting is only available in Snare for Windows version 3.0.0 and above.
- Windows 2008R2 Non-Security Audit Log Cleared
Linux Audit
- User Login
- User Login
- This objective is used to monitor user login actions on Linux servers.
- User Login
- Process Objectives
- Executing a Process
- This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to collect process events.
- Executing a Process
- File Objectives
- Accessing a File
- This objective is used to monitor access to files that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to collect file events.
- Accessing a File
- Account Management Objectives
- Account Management
- This objective is used to monitor account management actions on Linux Servers. Note that the Linux audit subsystem will only generate events when an account or group, is modified using account management binaries. Situations where a root user manually modifies the /etc/passwd or /etc/group files, will not be detected by this objective.
- User Account Management
- This objective is used to monitor user account management actions on Linux Servers. Note that the Linux audit subsystem will only generate events when an account or group, is modified using account management binaries. Situations where a root user manually modifies the /etc/passwd or /etc/group files will not be detected by this objective.
- Group Account Management
- This objective is used to monitor group account management actions on Linux Servers. Note that the Linux audit subsystem will only generate events when an account or group, is modified using account management binaries. Situations where a root user manually modifies the /etc/passwd or /etc/group files, will not be detected by this objective.
- Account Management
SOCKS Log
- User Authentication
- Failed Authentication
- This objective looks for failed authentication events from a SOCKS server.
- Failed Authentication
MS DNS Server
- MSDNSServer
- Microsoft DNS Server Logs. DNS over TCP
- This objective is used to monitor DNS over TCP suspicious usage.
- Microsoft DNS Server Logs. DNS Server Failure
- This objective is used to monitor DNS Server Response Failure.
- Microsoft DNS Server Logs. DNS Client IP Find
- This objective is used to retrieve DNS traffic from/to IP.
- Microsoft DNS Server Logs. NXDOMAIN
- This objective is used to monitor Non Existent Domains DNS Queries Only.
- Microsoft DNS Server Logs. DNS over TCP
Universal Log
- Report Access
- Reading Reports
- This objective allows you to search for reports that have been read.
- Reading Reports
- Search Analysis
- Query Term Analysis
- This objective allows you to monitor the search terms used in Universal Log data, based on a 'Query' event in the 'Message' field.
- Query Term Analysis
- User Login
- User Login
- This objective allows you to monitor user logins reported in the Universal Log data.
- User Login
- Report Prints
- Print Reports
- This objective allows you to search for reports that have been printed.
- Print Reports
Solaris BSM
- File Access
- Access to Sensitive Files
- Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses.
- Access to Sensitive Files
- User Login
- User Login
- This objective is used to monitor user login actions on Solaris servers.
- User Login
- User Privilege Escalation
- Access to a target account
- This objective is used to monitor access to a target account through the /bin/su utility.
- Failed access to a user account
- This objective is used to monitor failed access to a target account through the /bin/su utility.
- Access to a target account
- Process Objectives
- Executing a Process
- This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to
collect process events.
- This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to
- Executing a Process
RACF Log
- User Login
- User Logins
- This objective displays information relating to RACF user logins.
- User Logins
- Object Access
- Access to RACF Resources
- This objective monitors access to RACF resources that are considered to be sensitive. A ReturnCode of 0 implies a failed attempt to access the resource. Use the RESOURCE field to narrow your search criteria.
- Access to RACF Resources
Configuration Check
- CISCO Configuration Checker
- CISCO Pix/Router Configuration Checker
- Compare the current CISCO Pix or Router configuration to an authorised version. The objective will attempt to connect to the device using the 'telnet' protocol and display the current configuration. The current configuration will also be compared against an authorized 'Master' and changes will be highlighted. Two passwords in the "Configure" section (connect, and enable) are used to retrieve the configuration.
- CISCO Pix/Router Configuration Checker
Network Mapper
- Network Mapping and Vulnerability Scan
- Network Mapper
- This objective allows you to scan your network for open services. New systems, or systems with unauthorized ports, will be highlighted for your attention. In addition, an optional network security scan can be conducted against any hosts that are found. The report may be displayed in tabular format, which is useful for the analysis of many hosts on any given network. In both "iconized" and "tabular" formats, an authorized "port list" can be configured on a host-by-host basis. Future scans against the host in question will highlight any changes in port activation or deactivation. The network scanner can be configured to scan both TCP and/or UDP port ranges.
UDP scanning is very slow and should be used with care. This is because UDP will always have to wait for a timeout to determine if a port is closed. If this timeout is too short, then it will miss valid ports and not correctly report. This objective uses the free Open Source tool, NMAP. NMap is used to determine the open ports on one or more hosts. Further details are available from: http://www.insecure.org/
- This objective allows you to scan your network for open services. New systems, or systems with unauthorized ports, will be highlighted for your attention. In addition, an optional network security scan can be conducted against any hosts that are found. The report may be displayed in tabular format, which is useful for the analysis of many hosts on any given network. In both "iconized" and "tabular" formats, an authorized "port list" can be configured on a host-by-host basis. Future scans against the host in question will highlight any changes in port activation or deactivation. The network scanner can be configured to scan both TCP and/or UDP port ranges.
- Network Mapper
User/Group Snapshot
- Account Flags
- Account Flags
- This objective displays those users who have settings configured on their account that are considered sensitive or important from a security viewpoint. These attributes are queried on a regular basis by connecting to specified Snare Agents. The updated information will be displayed in these reports, on a scheduled basis, as required by the users of these objectives.
- Account Flags
- Account Expiry
- Account Expiry
- This objective displays account expiry settings (in days) by system and/or domain. Please note that this objective requires Snare for Windows version 2.6.2 or later. For accounts retrieved from the Windows Active Directory interface, the objective reports the current maximum time since any non-expired user has changed their password, which should generally provide an approximation of probable server password expiry settings in most circumstances.
- Account Expiry
- Sensitive Groups
- Sensitive Groups
- This objective takes snapshots of the applicable group memberships and compares them to a specified list to report on authorized and unauthorized group members. The Snare Central will regularly query the specified server(s) to determine the members of all groups. This is then used by these objectives to determine which users have been authorized to be members of this group, and which are not.
- Sensitive Groups
Tru64 Audit
- User Login
- User Login
- This objective is used to monitor user login actions on Tru64 servers.
- User Login
- File Access
- Access to Sensitive Files
- Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses.
- Access to Sensitive Files
- User Privilege Escalation
- User access to a target account
- This objective is used track access to a target account through the /bin/su utility.
- User access to a target account
Gauntlet Firewall Log
- Electronic Mail
- Electronic Mail events
- The Gauntlet firewall generates events based on the email addresses that have been sent through the firewall. This objective allows the user to report on email information derived
from the Gauntlet Firewall logs.
- The Gauntlet firewall generates events based on the email addresses that have been sent through the firewall. This objective allows the user to report on email information derived
- Electronic Mail events
ACF2 Log
- Account Administration
- Changes to Accounts
- This objective displays information relating to ACF2 account modifications. ACF2 logs can be collected from an IBM MVS mainframe, and analysed using the Snare Central. The logs from the ACF2 mainframe are collected via FTP or SCP file transfer into the /data/SnareCollect/ACF2Log/ directory on the Snare Central.
- Accounts Created or Deleted
- This objective displays those ACF2 users on an MVS host which have been created or deleted.
- Changes to Flags
- For each CHANGE, DELETE or INSERT, this objective displays the details of the ACF2 changes on an MVS host.
- Changes to Accounts
- Object Access
- Access to the ACF2 Resources
- This objective monitors access to MVS resources that are considered to be sensitive. Use the RESOURCE field to narrow your search criteria. A ReturnCode of VIOLATION, or *VIO, indicates a failed attempt to access the resource
- Access to the INFOSTORE database
- The Infostore database (ACF60STO) is a sensitive repository of ACF2 information. This objective displays events relating to user access to the INFOSTORE database.
- Access to the ACF2 Resources
- User Login Failures
- User Login Failures
- This objective displays information relating to ACF2 user login failures.
- User Login Failures
- Rule Changes
- ACF2 Rule Changes
- This objective displays events relating to changes to Rules. The ability to change ACF2 rules on MVS systems indicates privileged access. This objective is able to monitor anyone that has been modifying these rules. The changing of ACF2 (on those MVS systems that use ACF2) should be carefully monitored to ensure only authorized users are undertaking authorized activity. This objective is able to maintain a view of actions undertaken in this security management activity.
- ACF2 Rule Changes
Object Access
- Object Access
- Access to Lotus Notes Resources
- This objective monitors access to Lotus Notes Database Resources. Use the OBJECT field to narrow your search criteria.
- Access to the ACF2 Resources
- This objective monitors access to ACF2 Objects that are considered to be sensitive. Use the OBJECT field to narrow your search criteria.
- Access to Lotus Notes Resources
PIX Log
- Authentication
- User Authentication events
- Display user authentication events
- User Authentication events
SonicWall
- Packet Logs
- Dropped Packets
- Display events that have a category that indicates dropped packets
- Dropped Packets
Apple BSM
- Process Objectives
- Executing a Process
- This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to
collect process events.
- This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to
- Executing a Process
- User Privilege Escalation
- Failed access to a user account
- This objective is used to monitor failed access to a target account through the /bin/su utility.
- Access to a target account
- This objective is used to monitor failed access to a target account through the /bin/su utility.
- Failed access to a user account
- User Login
- User Login
- This objective is used to monitor user login actions on Apple servers.
- User Login
- File Access
- Access to Sensitive Files
- Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to report on file accesses
- Access to Sensitive Files
AIX Audit
- Process Objectives
- Executing a Process
- This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to collect process events.
- Executing a Process
- User SU
- User access to the root account
- This objective is used to monitor access to the root account through the /bin/su utility.
- User access to the root account
- User Login
- User Login
- This objective is used to monitor user login actions on AIX servers. Note that FTP access is also counted as a 'login', but protocols such as SSH or VNC may not generate a login event. It is important that the 'Configure' section of the objective be used to define from which system(s) the login events are required, so that the user(s) of this objective are not flooded with too many login events. This will especially be the case in agencies that are of a significant size, and are collecting events from numerous AIX hosts.
- User Login
- File Access
- Access to Sensitive Files
- Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses.
- Access to Sensitive Files
Nortel VPN Router
- Configuration Changes
- Configuration Changes
- This objective will watch for configuration changes to Nortel VPN Routers - such as the creation, destruction, or modification of particular configuration items.
- Configuration Changes
- Authentication Events
- Failed Logins
- This objective will scan for failed attempts to access the VPN device by searching for events that include "Failed Login Attempt" or "failed to log in".
- Successful Logins
- This objective will scan for successful logins to the VPN device by searching for events that include "logged in from", "logged into group" or "login by using".
- Failed Logins
IP Tables Firewall
- Non-Local Network Connections
- Dropped Non-Local Network Connections
- Display dropped packets that do not have a source address of a routable IP block
- Accepted Non-Local Network Connections
- Display non-dropped packets that have a source address of a routable IP block
- Dropped Non-Local Network Connections
- Local Network Connections
- Accepted Local Network Connections
- Display non-dropped packets that have a source address of a non-routable IP block
- Dropped Local Network Connections
- Display dropped packets that have a source address of a non-routable IP block
- Accepted Local Network Connections
Browser
- Browser Objectives
- Access to Social Media and Related Sites
- Scan for access to social media and related sites. Please unlock this objective, and modify according to your requirements.
- Cookie Modifications
- Display cookie related events from Snare Browser agents.
- Inappropriate material
- Display inappropriate material, accessed through a browser.
INAPPROPRIATE CONTENT MAY BE DISPLAYED WITH THIS RANDOM SAMPLE.
The images are linked directly to the target site. This means that your UserID will download the images through your proxy server (if enabled), which means you may appear in your own logs.
Please also note that:
1) The originating user may not have deliberately accessed the content in question - it may have been a popup caused by a rogue web site, and
2) The image may no longer exist on the target site, in which case, you will receive a 'no image' placeholder within your web browser.
- Display inappropriate material, accessed through a browser.
- Messages from installed Snare Browser Agents
- Display configuration change and agent restart messages from Snare Browser agents.
- Access to Social Media and Related Sites
F5 Violations
- CISCO Configuration Checker
- Violation Reports
- Special Alerts
- Display events tagged as violations, from F5 ASM logs.
Generic Syslog
- Session Information
- Monitor Session Growth
- This objective can be used to monitor session volume notification events from custom applications that report the data to Snare Central. The output component included with this objective will trigger when the number of sessions grows by a predermined amount per source server. Notification events are assumed to be delivered in 1 minute intervals.
- Monitor Session Growth
- User Privilege Escalation
- User Privilege Escalation through SU and Sudo
- This objective looks for SU or Sudo log entries in the Generic Syslog log source.
- User Privilege Escalation through SU and Sudo
NetScreen Firewall
- Special Alerts
- Large ICMP Packet Notifications
- Display Large ICMP Packet notifications from Netscreen Firewalls.
- Port Scan Notifications
- Display port scan notifications from Netscreen Firewalls.
- IP Spoofing Notifications
- Display IP spoofing notifications from Netscreen Firewalls.
- Large ICMP Packet Notifications
Oracle
- Oracle Server
- Oracle SYSTEM Usage
- Display activity for users with SYSDBA and SYSOPER privileges.
- Oracle User Session Audit
- Display all user Activity for given DBUSER.
- Oracle Audit Events
- Display Generic Oracle Activity.
- Oracle Password Change Audit
- Display Password Change Events for all users.
- Oracle Security Audit
- Display Potentially Dangerous SQL Events.
- Oracle SYSTEM Usage
PAN Firewall
- Special Alerts
- Threat Reports
- Display threat-related events from Palo Alto Network Firewalls.
- Threat Reports
Irix SAT
- File Access
- Access to Sensitive Files
- Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses.
- Access to Sensitive Files
- User Login
- User Login
- This objective is used to monitor user login actions on Irix servers. Note that FTP access is also counted as a 'login', but protocols such as SSH or VNC may not generate a login event.
- User Login
- User SU
- User access to the root account
- This objective is used to monitor access to the root account through the /bin/su utility.
- User access to the root account
- Process Objectives
- Executing a Process
- This objective is used to monitor access to processes or applications that are considered to be sensitive.
- Executing a Process
- Administrative Activity
- Successful Mount or Unmount Activity
- This objective monitors the mount or unmounting of disk volumes on Irix. This may be useful in those instances where it is required that access to specific volumes (such as floppy disks) be closely monitored.
- General Administrative Tasks
- This objective reports on selected Irix audit events which indicate general administrative activity, such as sat_chroot, sat_mount, sat_clock_set, sat_hostname_set, sat_domainname_set, sat_hostid_set, sat_control, sat_bsdipc_snoop_ok, sat_bsdipc_snoop_fail, and sat_ae_audit.
- Successful Mount or Unmount Activity
Web Log
- Proxy Server Objectives
- Inappropriate material accessed through a proxy server
- Display inappropriate material, accessed through an organisational proxy server, by searching for a range of defined words, in the URLs that are logged by a proxy server.
INAPPROPRIATE CONTENT MAY BE DISPLAYED WITH THIS RANDOM SAMPLE.
The images are linked directly to the target site. This means that your UserID will download the images through your proxy server (if enabled), which means you may appear in your own logs.
Please also note that:
1)Â The originating user may not have deliberately accessed the content in question - it may have been a popup caused by a rogue web site, and
2) The image may no longer exist on the target site, in which case, you will receive a 'no image' placeholder within your web browser.
- Display inappropriate material, accessed through an organisational proxy server, by searching for a range of defined words, in the URLs that are logged by a proxy server.
- Proxy Server Logs
- Query Proxy Server Logs.
- Inappropriate material accessed through a proxy server
- Web Server Objectives
- Suspicious URL Access on your web servers
- Display URLs that are generally associated with cross site scripting attacks.
- Suspicious URL Access on your web servers
FortiGate Log
- Unclassified FortiGate
- Unclassified FortiGate-Event Sub Type Reports
- Display unclassified FortiGate Event sub type-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency).
- Unclassified FortiGate Log Type Reports
- Display unclassified FortiGate log type-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency).
- Unclassified FortiGate-Traffic Sub Type Reports
- Display unclassified FortiGate Traffic sub type-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency).
- Unclassified FortiGate-UTM Sub Type Reports
- Display unclassified FortiGate UTM sub type-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency).
- Unclassified FortiGate-Event Sub Type Reports
- Attack Reports
- Alert Attack Reports
- Display alert attack-related events from FortiGate UTM-Anomaly subtype.
- Attack Reports
- Display attacks-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-Anomaly subtype.
- Critical Attack Reports
- Display critical attack-related events from FortiGate UTM-Anomaly subtype.
- Emergency Attack Reports
- Display emergency attack-related events from FortiGate UTM-Anomaly subtype.
- Error Attack Reports
- Display error attack-related events from FortiGate UTM-Anomaly subtype.
- Warning Attack Reports
- Display warning attack-related events from FortiGate UTM-Anomaly subtype.
- Alert Attack Reports
- Antivirus Reports
- Antivirus Reports
- Display virus-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-Antivirus subtype.
- Antivirus Reports
- File Type Reports
- Executable File Reports
- Display executable files-related events from FortiGate UTM-Antivirus subtype. Please unlock this objective and modify the filename extension according to your requirements.
- Website Reports
- Display website-related events from FortiGate UTM-Antivirus subtype. Please unlock this objective and modify the domain extension according to your requirements.
- Executable File Reports
- App Ctrl Reports
- Application Control Reports
- Display application-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-Application Control subtype.
- Application Control Reports
- Service Reports
- Web Service Reports
- Display web services-related events from FortiGate UTM-Application Control subtype.Â
- Web Service Reports
- CIFS Reports
- CIFS Reports
- Display file system-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-CIFS subtype.
- CIFS Reports
- File Type Reports
- Image Reports
- Display image-related events from FortiGate UTM-CIFS subtype.
- Image Reports
- DLP Reports
- DLPÂ Reports
- Display data leaks/loss-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-DLP subtype.
- DLPÂ Reports
- Data File Reports
- Image Reports
- Display file-related events from FortiGate UTM-DLP subtype. Please unlock this objective and modify the filetype according to your requirements.
- Image Reports
- DNS Reports
- DNS Reports
- Display DNS-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-DNS subtype.
- DNS Reports
- Email Filter Reports
- DNS Reports
- Display email filter-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-Email Filter subtype.
- DNS Reports
- Error Event Reports
- Error Event Reports
- Display error-related events from FortiGate UTM-Email Filter subtype.
- Error Event Reports
- Connector Reports
- Connector Reports
- Display connector-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-Connector subtype.
- Connector Reports
- Object Addition Reports
- Object Addition Reports
- Display object addition-related events from FortiGate Event-Connector subtype.
- Object Addition Reports
- Endpoint Reports
- Endpoint Reports
- Display endpoint-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-Endpoint subtype.
- Endpoint Reports
- Operation Reports
- Error Operation Reports
- Display error-related events from FortiGate Event-Endpoint subtype.
- Successful Add Operation Reports
- Display successful add-related events from FortiGate Event-Endpoint subtype.
- Successful Close Operation Reports
- Display successful close-related events from FortiGate Event-Endpoint subtype.
- Error Operation Reports
- Authorization Reports
- Authorized Activity Reports
- Display authorized activity-related events from FortiGate Event-FortiExtender subtype.
- Unauthorized Activity Reports
- Display unauthorized activity-related events from FortiGate Event-FortiExtender subtype.
- Authorized Activity Reports
- Connection Reports
- Connected Activity Reports
- Display connected activity-related events from FortiGate Event-FortiExtender subtype.
- Disconnected Activity Reports
- Display disconnected activity-related events from FortiGate Event-FortiExtender subtype.
- Connected Activity Reports
- FortiExtender Reports
- Endpoint Reports
- Display FortiExtender-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-FortiExtender subtype.
- Endpoint Reports
- HA Reports
- HA Reports
- Display HA-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-HA subtype.
- HA Reports
- Router Reports
- Router Reports
- Display router-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-Router subtype.
- Router Reports
- Health Check Reports
- Health Check Reports
- Display health check-related events from FortiGate Event-SDWAN subtype.
- Health Check Reports
- SDWAN Reports
- SDWAN Reports
- Display SDWAN-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-SDWAN subtype.
- SDWAN Reports
- Security Rating Reports
- Security Rating Reports
- Display security rating-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-Security Rating subtype.
- Security Rating Reports
- Login Reports
- Failed Login Reports
- Display failed login-related events from FortiGate Event-System subtype.
- Succesful Login Reports
- Display successful login-related events from FortiGate Event-System subtype.
- User Login Reports
- Display login-related events from FortiGate Event-System subtype.
- Failed Login Reports
- System Reports
- System Reports
- Display system-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-System subtype.
- System Reports
- Authentication Reports
- Failed Authentication Reports
- Display failed authentication-related events from FortiGate Event-User subtype.
- Successful Authentication Reports
- Display successful authentication-related events from FortiGate Event-User subtype.
- User Authentication Reports
- Display user authentication-related events from FortiGate Event-User subtype.
- Failed Authentication Reports
- User Reports
- User Reports
- Display user-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-User subtype.
- User Reports
- Login Reports
- Failed SSL Login Reports
- Display failed SSL login-related events from FortiGate Event-VPN subtype.
- Failed SSL Login Reports
- VPN Reports
- VPN Reports
- Display VPN-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-VPN subtype.
- VPN Reports
- WAD Reports
- WAD Reports
- Display WAD-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-WAD subtype.
- WAD Reports
- Error Log Reports
- Failed DNS Service Reports
- Display non-existing domain-related events from FortiGate Event-Wireless subtype.
- Failed FT Request Action Reports
- Display invalid FT request action-related events from FortiGate Event-Wireless subtype.
- Failed FT Authentication Action Reports
- Display invalid FT request authentication-related events from FortiGate Event-Wireless subtype.
- Failed DNS Service Reports
- Wireless Reports
- Wireless Reports
- Display wireless-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate Event-Wireless subtype.
- Wireless Reports
- File Reports
- Blocked File Reports
- Display blocked file-related events from FortiGate UTM-File Filter subtype.
- Blocked File Reports
- File Filter Reports
- File FilterReports
- Display file filter-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-File Filter subtype.
- File FilterReports
- Service Reports
- Denied Service Reports
- Display related events with DENY_CAUSE from FortiGate UTM-GTP subtype.
- Denied Service Reports
- GTP Reports
- GTP Reports
- Display GTP-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-GTP subtype.
- GTP Reports
- Access Reports
- Blocked Access Reports
- Display blocked-related events from FortiGate UTM-ICAP subtype.
- Blocked Access Reports
- ICAP Â Reports
- ICAP Reports
- Display internet content-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-ICAP subtype.
- ICAP Reports
- IPS Reports
- IPS Reports
- Display IPS-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-IPS subtype.
- IPS Reports
- Content Reports
- Malicious Content Reports
- Display malicious content-related events from FortiGate UTM-IPS subtype.
- Malicious Content Reports
- SSH Reports
- SSH Reports
- Display SSH-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-SSH subtype.
- SSH Reports
- SSL Reports
- SSL Reports
- Display SSL-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-SSL subtype.
- SSL Reports
- Traffic Reports
- Closed Service Reports
- Display closed service-related events from FortiGate Traffic log type.
- Connection Error Reports
- Display connection error-related events from FortiGate Traffic log type.
- Denied HTTP Service Reports
- Display denied HTTP service-related events from FortiGate Traffic log type.
- Denied Service Reports
- Display denied service-related events from FortiGate Traffic log type.
- Closed Service Reports
- Forward Traffic Reports
- Forward Traffic Reports
- Display forward traffic-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGateTraffic-Forward subtype.
- Forward Traffic Reports
- Local Traffic Reports
- Local Traffic Reports
- Display local traffic-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGateTraffic-Local subtype.
- Local Traffic Reports
- Multicast Traffic Reports
- Multicast Traffic Reports
- Display multicast traffic-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGateTraffic-Multicast subtype.
- Multicast Traffic Reports
- Sniffer Traffic Reports
- Sniffer Traffic Reports
- Display sniffer traffic-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGateTraffic-Sniffer subtype.
- Sniffer Traffic Reports
- VoIP Reports
- VoIP Reports
- Display VoIP-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-VoIP subtype.
- VoIP Reports
- WAF Reports
- WAF Reports
- Display web app-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-WAF subtype.
- WAF Reports
- Header Change Reports
- HTTP Header Change Reports
- Display http header change-related events from FortiGate UTM-Web Filter subtype.
- HTTP Header Change Reports
- Web Filter Reports
- Web Filter Reports
- Display web-related events with possible risks (Level: Warning, Error, Critical, Alert, Emergency) from FortiGate UTM-Web Filter subtype.
- Web Filter Reports
Cisco FTD Log
- Security Event
- Connection Event Reports
- Connection Event Reports
- Display connection start and end events.
- Connection Event Reports
- Intrusion Attack Reports
- Intrusion Attack Reports
- Display intrusion attack events from Cisco FTD devices.
- Intrusion Attack with High Priority Reports
- Display intrusion attack events from Cisco FTD devices with high priority.
- Intrusion Attack with Medium Priority Reports
- Display intrusion attack events from Cisco FTD devices with medium priority.
- Intrusion Attack with Low Priority Reports
- Display intrusion attack events from Cisco FTD devices with low priority.
- Intrusion Attack Reports
- File Operation Reports
- File Operations Reports
- Display all file related operations.
- Regular Files Reports
- Display all file operations that contains non-threat files.
- Malware Files Reports
- Display all file operations that were classified as malware files.
- File Failure Reports
- Display all file operations with fail results.
- File Operations Reports
- Connection Event Reports
- IPS - Intrusion Protection System
- Shun Reports
- Shun Addition Reports
- Display all Shun addition operation for Cisco FTD.
- Shun Deletion Reports
- Display all Shun deletion operation for Cisco FTD.
- Shun Fail Reports
- Display all Shun failures for Cisco FTD devices.
- Shun Addition Reports
- Shun Reports
- IDS -Â Intrusion Detection System
- Attack Reports
- Host Attack Reports
- Display attacks from hosts reports.
- Devices Under Attack Reports
- Display report of Cisco FTD devices under attack.
- Host Attack Reports
- Shun Reports
- Shun Addition Reports
- Display all added host to shun list.
- Shun Deletion Reports
- Display all removed host from shun list.
- Shun Addition Reports
- Attack Reports
- Application Firewall
- Connection Status Reports
- Dropped Connections
- Display all dropped connections.
- Reset Connections
- Display all reset connections.
- Dropped Connections
- Connection Status Reports
- Transparent Firewall
- Interface Updates Reports
- Interface Updates
- Display all successful interface updates by FTD.
- Interface Updates
- Failure ReportsÂ
- Locating Failures
- Display all failures related to interface location attempts by FTD.
- Routing Failures
- Display all failures related to routing attempts by FTD.
- Locating Failures
- Interface Updates Reports
- User Authentication
- CoA Reports
- CoA Reports
- Display all user authentication logs related to CoA - Change of Authorization.
- CoA Reports
- Problematic Reports
- Critical Reports
- Display all user authentication logs with critical level severity.
- Error Reports
- Display all user authentication logs with error level severity and logs that has error messages.
- Authentication Failure Reports
- Display all user authentication logs that contains login failures or authentication failures.
- Critical Reports
- CoA Reports
- Access List
- Problematic Reports
- Critical Reports
- Display all access lists logs with critical level severity.
- Alert Reports
- Display all access lists logs with alert level severity.
- Error Reports
- Display all access lists with error level severity.
- Deny Reports
- Display all access lists logs that contains Deny operations and actions.
- Critical Reports
- Problematic Reports
- PKI Certification Authority
- Problematic Reports
- Critical Reports
- Display all PKI certification authority logs with critical level severity.
- Alert Reports
- Display all PKI certification authority logs with alert level severity.
- Error Reports
- Display all PKI certification authority logs with error level severity and logs that has error messages
- Fail Reports
- Display all PKI certification authority logs that contains Fail operations.
- Critical Reports
- Problematic Reports
- VPN Client
- Problematic Reports
- Error Reports
- Display all VPN client with error level severity.
- Fail Reports
- Display all VPN client logs that contains Fail operations.
- Error Reports
- Problematic Reports
- VPN Failover
- VPN Unit Reports
- Primary VPN Unit Reports
- Display all VPN Failover logs related to Primary units.
- Secondary VPN Unit Reports
- Display all VPN Failover logs related to Secondary units.
- Primary VPN Unit Reports
- Problematic Reports
- Fail Reports
- Display all VPN Failover logs that contains Fail operations.
- Fail Reports
- VPN Unit Reports
- WebVPN Failover
- Operation Reports
- WebVPN Session Reports
- Display all WebVPN Failover logs related to WebVPN sessions.
- HA Event Reports
- Display all WebVPN Failover logs related to HA/High Availability events.
- Access List Reports
- Display all WebVPN Failover logs related to WebVPN specific access list operations.
- WebVPN Session Reports
- Problematic Reports
- Fail Reports
- Display all WebVPN Failover logs that contains Fail operations.
- Fail Reports
- Operation Reports
- SNMP
- Problematic Reports
- Error Reports
- Display all SNMP logs with error level severity and logs that has error codes and messages
- Dropped Request Reports
- Display all SNMP logs with related to dropped or discarded request/s
- Config Error Reports
- Display all SNMP logs with related to config errors
- Error Reports
- Problematic Reports
- Command Interface
- Problematic Reports
- Alert Reports
- Display all Command Interface logs with a severity level of Alert.
- Critical Reports
- Display all Command Interface logs with a severity level of Critical.
- Error Reports
- Display all Command Interface logs with a severity level of Error.
- Alert Reports
- Problematic Reports
- EIGRP Routing
- Problematic Reports
- Error Reports
- Display all EIGRP Routing logs with error level severity or contains error messages.
- Error Reports
- Problematic Reports
- FailOver
- Command Reports
- Command Related Reports
- Display all Failover logs where a command string was executed.
- Command Related Reports
- Problematic Reports
- Alert Reports
- Display all Failover logs with a severity level of Alert.
- Critical Reports
- Display all Failover logs with a severity level of Critical.
- Error Reports
- Display all Failover logs with a severity level of Error, or that contain an error message.
- Alert Reports
- Unit Mode Reports
- Primary Unit Reports
- Display all Failover logs related to Primary units.
- Secondary Unit Reports
- Display all Failover logs related to Secondary units.
- Primary Unit Reports
- Command Reports
- IKE and IPSec
- Problematic Reports
- Error Reports
- Display all IKE and IPSec logs with a severity level of Error, or that contain an error message.
- Error Reports
- Sub-classification Reports
- Crypto Reports
- Display all IKE and IPSec logs related to CRYPTO operations.
- IKE Reports
- Display all IKE and IPSec logs related to IKE operations.
- IPSec Reports
- Display all IKE and IPSec logs related to IPSEC operations.
- Mode Configuration Reports
- Display all IKE and IPSec logs related to MODE_CFG operations.
- Crypto Reports
- User Reports
- User Reports
- Display all IKE and IPSec logs that contain USER details.
- User Reports
- Problematic Reports
- IP Stack
- Problematic Reports
- Critical Reports
- Display all IP Stack logs with a severity level of Critical.
- Error Reports
- Display all IP Stack logs with a severity level of Error, or that contain an error message.
- Critical Reports
- Routing Related Reports
- Newly Added Route Reports
- Display all IP Stack logs for newly added network routes.
- Updated Route Reports
- Display all IP Stack logs for updated network routes.
- Newly Added Route Reports
- Problematic Reports
- OSPF Routing
- Problematic Reports
- Error Reports
- Display all OSPF Routing logs with error level severity or contains error messages.
- Error Reports
- LSA Related Reports
- Newly Added Route Reports
- Display all OSPF Routing logs related to AS-External LSA type.
- Updated Route Reports
- Display all OSPF Routing logs related to Network LSA type.
- Router LSA Reports
- Display all OSPF Routing logs related to Router LSA type.
- Invalid LSA Reports
- Display all OSPF Routing logs related to invalid LSA.
- Newly Added Route Reports
- Problematic Reports
- Password Encryption
- Operation Reports
- Password Decryption Reports
- Display all Password Encryption logs relating to password decryption.
- Password Encryption Reports
- Display all Password Encryption logs relating to password encryption.
- Password Decryption Reports
- Operation Reports
- SSL Stack
- Problematic Reports
- Error Reports
- Display all SSL Stack logs with a severity level of Error, or that contain an error message.
- Error Reports
- Peer Classification Reports
- Client Peer Type Reports
- Display all SSL Stack logs where peer role is client.
- Server Peer Type Reports
- Display all SSL Stack logs where peer role is server.
- Client Peer Type Reports
- Problematic Reports
- SSL VPN Client
- Problematic Reports
- Error Reports
- Display all SSL VPN Client logs with error level severity or contains error messages.
- Error Reports
- User Reports
- User Reports
- Display all SSL VPN Client logs having user related details.
- User Reports
- Problematic Reports
- VPN Load Balancing
- Message Processing Reports
- Message Processing ReportsÂ
- Display all Cisco FTD VPN Load Balancing logs that contains send or received message on it.
- Message Processing ReportsÂ
- Problematic Reports
- Error Reports
- Display all Cisco FTD VPN Load Balancing logs that contains error message on it.
- Error Reports
- Message Processing Reports
- WebVPN and AnyConnect Client
- Problematic Reports
- Alert Reports
- Display all WebVPN and AnyConnect client logs with alert level severity.
- Critical Reports
- Display all WebVPN and AnyConnect client logs with critical level severity.
- Error Reports
- Display all WebVPN and AnyConnect client logs with error level severity or contains error messages.
- Alert Reports
- User Reports
- User Action Reports
- Display all WebVPN and AnyConnect client logs having user related details and action.
- User Reports
- Display all WebVPN and AnyConnect client logs having user related details.
- User Action Reports
- Problematic Reports
MS Win Event Log v2
- Win Application Ad-Hoc Query
- A generic Windows Application (Snare v2) Objective
- Query Windows Application logs (Snare v2) for events of interest
- A generic Windows Application (Snare v2) Objective
- WinApplication - Administrative Activity
- Application Crash
- This objective is used to monitor crashed applications.
- EMET Failures
This objective is used to monitor error messages from Microsoft's Enhanced Mitigation Experience Toolkit.
- NetIQ Administrative Activity
- This objective is used to monitor administrative activity using the NetIQ product.
- NetIQ Group Administrative Activity
- This objective is used to monitor group administrative activity using the NetIQ product.
- NetIQ User Administrative Activity
- This objective is used to monitor user administrative activity using the NetIQ product.
- This objective is used to monitor user administrative activity using the NetIQ product.
- Windows File Protection
- The Windows File Protection service monitors critical system files and attempts to prevent unauthorized software from modifying or replacing these files. This objective is used to monitor WFP warning events.
- The Windows File Protection service monitors critical system files and attempts to prevent unauthorized software from modifying or replacing these files. This objective is used to monitor WFP warning events.
- Application Crash
- WinApplication - Oracle Server
- Oracle SYSTEM Usage
- Display activity for users with SYSDBA and SYSOPER privileges.
- Display activity for users with SYSDBA and SYSOPER privileges.
- Oracle Password Change Audit
- Display Password Change Events for all users.
- Oracle Security Audit
- Display Potentially Dangerous SQL Events.
- Display Potentially Dangerous SQL Events.
- Oracle Audit Events
- Display Generic Oracle Activity.
- Oracle User Session Audit
- Display all user Activity for given DBUSER.
- Oracle SYSTEM Usage
- WinEvent Ad-Hoc Query
- A generic Windows Event Log (Snare v2) Objective
- Query Windows Event logs (Snare v2) for events of interest other than WinApplication, WinSecurity and WinSystem
- A generic Windows Event Log (Snare v2) Objective
- WinSecurity Ad-Hoc Query
- A generic Windows Security (Snare v2) Objective
- Query Windows Security logs (Snare v2) for events of interest
- Query Windows Security logs (Snare v2) for events of interest
- A generic Windows Security (Snare v2) Objective
- WinSecurity - Administrative Actions
- Account Creation and Deletion
- This objective displays Windows accounts (in specified domains) that have been recently created or deleted.
- This objective displays Windows accounts (in specified domains) that have been recently created or deleted.
- Group Creation and Deletion
- This objective displays Windows groups that have been recently created or deleted.
- This objective displays Windows groups that have been recently created or deleted.
- Group Modifications
- This objective shows modifications to specified sensitive Windows groups.
- This objective shows modifications to specified sensitive Windows groups.
- Group Member Changes
- This objective shows changes to the members of sensitive Windows Groups.
- This objective shows changes to the members of sensitive Windows Groups.
- Local Account added to Administrators
- This objective displays Windows local accounts that have been added to the Local Administrators Group.
- This objective displays Windows local accounts that have been added to the Local Administrators Group.
- Audit Log Cleared
- This objective checks to see if the Windows event logs were cleared. Note that the Snare agent must be configured to collect these events.
- This objective checks to see if the Windows event logs were cleared. Note that the Snare agent must be configured to collect these events.
- Changes to the Audit Policy
- Although the Snare for Windows agent is able to configure the hosts audit sub-system, this objective keeps an eye on events which indicate an attempt to change the underlying audit configuration.
- Although the Snare for Windows agent is able to configure the hosts audit sub-system, this objective keeps an eye on events which indicate an attempt to change the underlying audit configuration.
- Privilege Escalation
- This objective displays Windows user rights changes to allow monitoring for escalation of user privileges.
- This objective displays Windows user rights changes to allow monitoring for escalation of user privileges.
- Scheduled task was created
- This objective displays when a new scheduled task has been created.
- Service was installed
- This objective displays when a service is installed on the system.
- This objective displays when a service is installed on the system.
- Startup Run Tasks Alert
- This objective displays when the Run and RunOnce registry keys have been modified.
- This objective displays when the Run and RunOnce registry keys have been modified.
- User Modifications
- This objective shows modifications to specified sensitive Windows users.
- This objective shows modifications to specified sensitive Windows users.
- Account Creation and Deletion on Windows and ACF2
- This objective displays any differences between Windows and ACF2 account creation details
- This objective displays any differences between Windows and ACF2 account creation details
- Account Creation and Deletion
- WinSecurity - User Login
- Failed User Logins
- This objective is used to monitor failed user login actions on Windows servers.
- This objective is used to monitor failed user login actions on Windows servers.
- User Interactive Logins and Logoffs
- This objective is used to monitor interactive account login and logoff events. This includes workstation locked/unlocked events and screen saver invoked/dismissed events.
- This objective is used to monitor interactive account login and logoff events. This includes workstation locked/unlocked events and screen saver invoked/dismissed events.
- Type 3 and Type 10 Network logins
- This objective displays Windows Type 3 host to host network logins and Type 10 RDP network logins.
- This objective displays Windows Type 3 host to host network logins and Type 10 RDP network logins.
- User Login
- This objective is used to monitor user login actions on Windows servers.
- This objective is used to monitor user login actions on Windows servers.
- Failed User Logins
- WinSecurity - Windows File Objectives
- Windows File Access
- Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to report on file accesses.
- Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to report on file accesses.
- Windows Object Permission Changes
- Monitor permission changes to a file or directory that is considered sensitive. Note that to use this objective, the Snare agents must be configured to report on event 4670.
- Monitor permission changes to a file or directory that is considered sensitive. Note that to use this objective, the Snare agents must be configured to report on event 4670.
- Windows File Access
- WinSecurity - Process Objectives
- New Process Created
- Monitor when new processes are created.
- Monitor when new processes are created.
- Windows Process Access
- Monitor access to applications that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to report on process execution.
- New Process Created
- WinSecurity - Oracle Server
- Oracle Start Stop Log
- Display Oracle startup and shutdown events.
- Display Oracle startup and shutdown events.
- Oracle Start Stop Log
- WinSystem Ad-Hoc Query
- A generic Windows System (Snare v2) Objective
- Query Windows System logs (Snare v2) for events of interest
- Query Windows System logs (Snare v2) for events of interest
- A generic Windows System (Snare v2) Objective
- WinSystem - Administrative Actions
- Windows 2008R2 Non-Security Audit Log Cleared
- This objective checks to see if the Windows Application, System or another non-security event log was cleared. Note that the Snare agent must be configured to collect these events.
- This objective checks to see if the Windows Application, System or another non-security event log was cleared. Note that the Snare agent must be configured to collect these events.
- Audit Log Corrupt
- Display Windows machines that have reported a corrupt event log, during the reporting period. Corrupt event log reporting is only available in Snare for Windows version 3.0.0 and above.
- Display Windows machines that have reported a corrupt event log, during the reporting period. Corrupt event log reporting is only available in Snare for Windows version 3.0.0 and above.
- Protection Disabled
- This objective is used to monitor the disabling of virus protection mechanisms.
- Windows 2008R2 Non-Security Audit Log Cleared
Apple BSM v2
- User Privilege Escalation
- Failed access to a user account
- This objective is used to monitor failed access to a target account through the /bin/su utility.
- Failed Sudo Access
- This objective is used to monitor failed sudo activities/operations.
- Sudo Usage
- This objective is used to monitor successful sudo activities/operations.
- Access to a target account
- This objective is used to monitor access to a target account through the /bin/su utility.
- Failed access to a user account
- User Login
- Failed User Login
- This objective is used to monitor failed user login actions on Apple servers.
- User Login
- This objective is used to monitor user login actions on Apple servers.
- Failed User Login
- Process Objectives
- Executing a Process
- This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to collect process events.
- Executing a Process
- File Access
- Access to Sensitive Files
- Monitor access to files and directories that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to report on file accesses.
- Access to Sensitive Files
MS SQL Log v2
- Admin Usage
- Admin DBA User
- This objective is used to monitor Administrator/SA user operations.
- Admin DBA User
- Cardholder Data
- Search for Cardholder Data
- This objective is used to monitor cardholder data queries.
- Search for Cardholder Data
- Table Operations
- Truncate Usage
- This objective is used to monitor truncate table operations.
- Truncate Usage
MS SQL Log
- Cardholder Data
- Search for Cardholder Data
- This objective is used to monitor cardholder data queries.
- Search for Cardholder Data
Office 365 Log
- Audit Log
- Ad-Hoc Query
- A generic Office 365 Audit Log Objective
- Query all generic Office365 event logs
- A generic Office 365 Audit Log Objective
- User Related Operations
- Admin Operation Reports
- Display all Office365 events related to Admin user.
- Application Operation Reports
- Display all Office365 events related to an Application.
- Regular User Operation Reports
- Display all Office365 events related to Regular users.
- System Operation Reports
- Display all Office365 events related to a System account.
- Admin Operation Reports
- Problematic Reports
- Fail Operation Reports
- Display all Office365 events with failure results.
- Fail Operation Reports
- Successful Operations
- Successful Operation Reports
- Display all Office365 events with successful results.
- Successful Operation Reports
- Ad-Hoc Query
- Azure Active Directory
- Ad-Hoc Query
- Query all Office365 Azure Active Directory event logs
- Event classification
- Account Logon Events
- Display all Office365 Azure Active Directory - Account Logon events.
- Application Audit Event
- Display all Office365 Azure Active Directory - Application Audit events.
- Account Logon Events
- User Administration Activities
- Newly Added User Account Reports
- Display all Office365 Azure Active Directory events related to newly created user account.
- Deleted User Account Reports
- Display all Office365 Azure Active Directory events related to deleted user account.
- Updated User Account Reports
- Display all Office365 Azure Active Directory events related to updated user account.
- Newly Added User Account Reports
- Result based classification
- Fail Operation Reports
- Display all Office365 Azure Active Directory events with failure results.
- Successful Operation Reports
- Display all Office365 Azure Active Directory events with successful results.
- Fail Operation Reports
- Ad-Hoc Query
- Azure Active Directory Sts Logon
- Ad-Hoc Query
- Query all Office365 Azure Active Directory STS Logon event logs
- Login classification
- User Login
- Display all Office365 Azure Active Directory STS Logon events related to user login.Â
- Login Failures
- Display all Office365 Azure Active Directory STS Logon events related to user login failures.
- User Login
- Ad-Hoc Query
- Exchange Admin
- Ad-Hoc Query
- Query all Office365 Exchange Admin event logs
- Mailbox Configurations
- Set Mailbox OWA Policy Reports
- Display all Office365 Exchange Admin associated to mailbox OWA policy settings.
- Set Mailbox Permission Reports
- Display all Office365 Exchange Admin associated to mailbox permission settings.
- Set Mailbox Reports
- Display all Office365 Exchange Admin associated to mailbox configurations.
- Set Mailbox OWA Policy Reports
- Ad-Hoc Query
- Exchange Item
- Ad-Hoc Query
- Query all Office365 Exchange Item event logs
- Mailbox Access
- Externally Accessed Mailbox Items
- Display all Office365 Exchange Items that was accessed externally. Where logon user domain is different from the mailbox owner domain
- Externally Accessed Mailbox Items
- Ad-Hoc Query
- Exchange Item Aggregated
- Ad-Hoc Query
- Query all Office365 Exchange mailbox advance auditing logs
- MailItemsAccessed Classification
- Bind events
- Display all Office365 Exchange mailbox advance auditing logs related to message access recording.
- Sync events
- Display all Office365 Exchange mailbox advance auditing logs related to message synchronization.
- Bind events
- Ad-Hoc Query
- Exchange Item Group
- Ad-Hoc Query
- Query all Office365 Exchange Item Group event logs
- Mailbox Actions
- Deleted Mailbox Items
- Display all Office365 Exchange Items associated to delete operation.
- Deleted Mailbox Items
- Ad-Hoc Query
- Share Point
- Ad-Hoc Query
- Query other events in SharePoint Online and OneDrive for Business
- Web, Site and Pages Activities
- Page Activities
- Display all page activities in Office365 SharePoint Online.
- Site Activities
- Display all site activities in Office365 SharePoint Online.
- Page Activities
- Ad-Hoc Query
- Share Point File Operation
- Ad-Hoc Query
- Query all files and folder activities by users in SharePoint Online and OneDrive for Business
- Files and Folders Operations
- Accessed Files
- Display all Office365 SharePoint events related to accessed file.
- Deleted Files and Folders
- Display all Office365 SharePoint events related to deleted files and folders.
- Uploaded Files and Folders
- Display all Office365 SharePoint events related to uploaded files and folders.
- Accessed Files
- Ad-Hoc Query
- Share Point List Operation
- Ad-Hoc Query
- Query all activities related to users interaction with lists and list items in SharePoint Online
- Lists and List Items Operations
- Created Lists and List Items
- Display all Office365 SharePoint events related to created lists and list items.
- Deleted List and List Items
- Display all Office365 SharePoint events related to deleted list and list items.
- Created Lists and List Items
- List Items Classifications
- DocumentLibrary List Items
- Display all Office365 SharePoint events related to DocumentLibrary type of list and list items.
- Generic List Items
- Display all Office365 SharePoint events related to generic type of list and list items.
- DocumentLibrary List Items
- Ad-Hoc Query
AWS Log
- Cloud Trail
- Console Sign In
- Console Login
- Monitor or display all AWS console login actions.
- Failed Console Login
- Monitor or display failed AWS console login actions.
- Successful Console Login
- Monitor or display successful AWS console login actions.
- Console Login
- Console Sign In
- VPC Flow Log
- Action
- Accept Traffic
- Monitor or display AWS VPC flow log ACCEPT actions that is associated with the traffic.
- Reject Traffic
- Monitor or display AWS VPC flow log REJECT actions that is associated with the traffic.
- Accept Traffic
- Action
- WAF
- WAF Action
- WAF Allow Web Request
- Monitor or display AWS WAF Allow web request actions.
- WAF Block Web Request
- Monitor or display AWS WAF Block web request actions.
- WAF CAPTCHA Web Request
- Monitor or display AWS WAF CAPTCHA web request actions.
- WAF Challenge Web Request
- Monitor or display AWS WAF Challenge web request actions.
- WAF Count Web Request
- Monitor or display AWS WAF Count web request actions.
- Monitor or display AWS WAF Count web request actions.
- WAF Allow Web Request
- WAF Action
Azure Log
Signin Logs
Ad-Hoc Query
Query all event logs related to Azure sign in activities.
SignIn classification - User type
SignIn Activities from External users
Display all Azure sign in activities made by External users.
SignIn Activities from Guests
Display all Azure sign in activities made by Guest users.
SignIn classification - Authentication type
SignIn Activities with MultiFactor Authentication
Display all Azure sign in activities that uses MultiFactor Authentication.
SignIn Activities with SingleFactorAuthentication
Display all Azure sign in activities that uses SingleFactorAuthentication.
SignIn classification - Result type
SignIn Failures
Display all unsuccessful Azure sign in activities.
Successful SignIn Activities
Display all successful Azure sign in activities.
Audit Logs
Ad-Hoc Query
Query all event logs related to actions performed in Azure portal.
Audit Log classification - Per Category
Application Management Operations
Display all Azure operations related to application management.
Authorization Related Operations
Display all Azure operations related to authorization.
Group Management Related Operations
Display all Azure operations related to group management.
Policy Related Operations
Display all Azure operations related to policy and policy management.
User Management Related Operations
Display all Azure operations related to user management.
Audit Log classification - Result type
Successful Operations
Display all successful operations performed at Azure Active Directory.
Unsuccessful Operations
Display all unsuccessful operations performed at Azure Active Directory.
Activity
Ad-Hoc Query
Query all management plane logs related to Azure resources.
Azure activity log classification - Per Category
Administrative Related Activities
Display all Azure resource activities related administrative work.
Policy Related Activities
Display all Azure resource activities related to policy.
Security Related Activities
Display all Azure resource activities related to security.
Azure activity log classification - Severity Level
Critical Activities
Display all activities related to Azure resources, indicating a problem and demands immediate attention of a system administrator
Error Related Activities
Display all activities related to Azure resources, indicating a problem, but do not require immediate attention.
Warning Related Activities
Display all activities related to Azure resources, indicating potential problems, although not an actual error.
Azure activity log classification - Per Resource Provider
Network Related Activities
Display all Azure activities related to Network resources.
Azure activity log classification - Per Status
Successful Activities
Display all successful activities related to Azure resources.
Unsuccessful Activities
Display all unsuccessful activities related to Azure resources.
Network Security Group Event
- Ad-Hoc Query
- Query all azure resource logs related to Azure NSG Event.
- Azure NSG event log classification - Per Direction
- Incoming Event Logs
- Display all incoming Azure NSG event logs.
- Outgoing Event Logs
- Display all outgoing Azure NSG event logs.
- Incoming Event Logs
- Azure NSG event log classification - Per Rule type
- Event Logs for Default Rules
- Display all Azure NSG event logs generated for default rules.
- Event Logs for User-define Rules
- Display all Azure NSG event logs generated for user-define rules.
- Event Logs for Default Rules
- Ad-Hoc Query
Network Security Group Rule Counter
- Ad-Hoc Query
- Query all azure resource logs related to Azure NSG Rule Counter.
- Azure NSG rule counter log classification - Per Direction
- Incoming Rule Counter Logs
- Display all incoming Azure NSG rule counter logs.
- Outgoing Rule Counter Logs
- Display all outgoing Azure NSG rule counter logs.
- Incoming Rule Counter Logs
- Azure NSG rule counter log classification - Per Rule type
- Rule Counter Logs for Default Rules
- Display all Azure NSG rule counter logs generated for default rules.
- Rule Counter Logs for User-define Rules
- Display all Azure NSG rule counter logs generated for user-define rules.
- Rule Counter Logs for Default Rules
- Ad-Hoc Query
- Application Gateway Access Log
- Ad-Hoc Query
- Query all azure resource logs related to Application Gateway Access.
- Access log classification - Per Request type
- Get Requests
- Display all GET requests.
- Post Requests
- Display all POST requests.
- Get Requests
- Access log classification - Per Request result
- Successful Requests
- Display all successful requests.
- Unsuccessful Requests
- Display all unsuccessful requests.
- Successful Requests
- Ad-Hoc Query
- Application Gateway Firewall Log
- Ad-Hoc Query
- Query all azure resource logs related to Application Gateway Firewall.
- Firewall log classification - Per Action type
- Allowed Requests
- Display all requests allowed by WAF set on the Azure Application Gateway.
- Blocked Requests
- Display all requests blocked by WAF set on the Azure Application Gateway.
- Matched Requests
- Display all requests that matched the WAF rules set on Azure Application Gateway.
- Allowed Requests
- Firewall log classification - Per Policy scope
- Requests Related to Global Policy
- Display all requests that were captured by the WAF rules under global policy set on the Azure Application Gateway.
- Requests Related to Listener Policy
- Display all requests that were captured by the WAF rules under listener policy set on the Azure Application Gateway.
- Requests Related to Global Policy
- Firewall log classification - Per RuleSet type
- Matched Custom Rule Requests
- Display all requests that were captured by the WAF custom rules set on the Azure Application Gateway.
- Matched Pre-defined Rule Requests
- Display all requests that were captured by the WAF pre-defined rules set on the Azure Application Gateway.
- Matched Custom Rule Requests
- Ad-Hoc Query
- Application Gateway Performance Log
- Ad-Hoc Query
- Query all azure resource logs related to Application Gateway Performance.
- Performance log classification - Host Status counter
- Unhealthy Hosts Indicator
- Display all Application Gateway performance logs indicating the number of unhealthy hosts.
- Unhealthy Hosts Indicator
- Ad-Hoc Query
- Firewall Application Rule
- Ad-Hoc Query
- Query all azure resource logs related to the events captured by the Azure Firewall Application rule policies in legacy format.
- Ad-Hoc Query
- Firewall DNS Proxy
- Ad-Hoc Query
- Query all azure resource logs related to the DNS Proxy events in legacy format under Azure Firewall.
- Ad-Hoc Query
- Firewall Network Rule
- Ad-Hoc Query
- Query all azure resource logs related to the events captured by the Azure Firewall Network rule policies in legacy format.
- Log classification - Per Operation name
- DNAT Rule Events
- Display all DNAT rule policies related events in legacy format.
- Network Rule Events
- Display all Network rule policies related events in legacy format.
- DNAT Rule Events
- Ad-Hoc Query
- AZFW Application Rule
- Ad-Hoc Query
- Query all azure resource logs related to the events captured by the Azure Firewall Application rule policies.
- Ad-Hoc Query
- AZFW Dns Query
- Ad-Hoc Query
- Query all azure resource logs related to the DNS Proxy events under Azure Firewall.
- Ad-Hoc Query
- AZFW Nat Rule
- Ad-Hoc Query
- Query all azure resource logs related to the events captured by the Azure Firewall DNAT rule policies.
- Ad-Hoc Query
- AZFW Network Rule
- Ad-Hoc Query
- Query all azure resource logs related to the events captured by the Azure Firewall Network rule policies.
- Ad-Hoc Query
Oracle Cloud Log
- Audit Logs
- Single Sign-On
- Single Sign-On/ Password events captured by Audit logging
- Application Access Events
- Application Access events captured by Audit logging
- Multifactor Authentication
- Step up authentication and bypass code-related events captured by Audit logging
- Self-Registration
- User Self-Registration events captured by Audit logging
- Self-Service Access Request
- Access Request events captured by Audit logging
- Notifications
- Notification Delivery events captured by Audit logging
- Identity Bridge Sync
- ID Bridge Sync status events captured by Audit logging
- Forgot/Reset Password
- Password Reset events captured by Audit logging
- Reset Password Initiated by Administrator
- Password Reset initiated by Admin events captured by Audit logging
- Change Password
- Password Change events captured by Audit logging
- User CRUD Operations
- User Create, Activate, Update, and Delete events captured by Audit logging
- Group CRUD Operations
- Group Create, Update, Delete and Membership Assignment events captured by Audit logging
- Single Sign-On