/
Release Notes for Snare Central v8.7.0

Release Notes for Snare Central v8.7.0

Aug 27, 2025

Snare Central v8.7.0 was released on 26th August 2025.

Snare Central incorporates Reflector v3.3.0, Snare Agent Manager (SAM) v2.1.2, and Snare Enterprise Agent for Linux v5.9.1.

If the threat intelligence component is active, version 6.8.7 of ElasticSearch is activated.

The following licensed components are available: 

  • Snare Management Center (SMC)
  • Snare Management Center Client (SMC)
  • Agent Management Console (AMC)
  • Snare Advanced Analytics (SAA)
  • Cloud Logs Collection:
    • Office 365 Logs Collection
    • Amazon Web Services Log Collection
    • Oracle Cloud Log Collection

After upgrading to Snare Central v8.7.0, please reboot the server to apply kernel changes, as advised by Ubuntu.

Overview

Snare Central version 8.7.0 introduces new Snare Reflector capabilities, including Logs Replay, logs delivery to Microsoft Sentinel and Splunk HEC HTTP destinations with customizable Field Remapping, parsing of Netflow logs and Telemetry logs, new and improved Reflector UI (User Interface). Snare Central v8.7.0 also offers integration with Microsoft Entra ID, active collection of OCI VCN Flow logs, 35 new reports and a number of other enhancements and bug fixes. 

Please refer also to Release Notes for Snare Agent Manager (SAM) v2.1.0 , v2.1.1 and v2.1.2 included in this release.

Compatibility Note

Snare Agent Management v2.1.2 included in this version of Snare Central is compatible with the following versions of Snare Agent. 

SAM v2 FeatureSupported Snare Agent Versions
Agent Configuration Management

5.8.0 or newer

Agent License Management

5.5.0 or newer

Remote Agent Upgrade

5.5.0 or newer

Agents Discovery using Network Scan

5.4.0 or newer

Please upgrade the Snare Agents to the latest version BEFORE upgrading the Snare Central, if you are using these features of SAM.

Features and Enhancements

    • Logs Replay capability allows to resend selected logs from the Snare Archive to any destination.
      This capability is useful for sending archived logs to an external analysis tools, in cases of cyber attacks, recovery after outage, or data migration.
      User can create and run Replay Tasks, using either existing or custom destination definitions, and defining a SnareQL query for data to be sent.
      All reflector destination features, including filters, search-replace filters, and field remapping for Splunk HEC, are applicable to a Replay destination.
      Note: replay to Microsoft Sentinel or Elastic destination is not yet available in this release.

      Two new Reflector settings were introduced:

      • - turned OFF by default for upgrades, turned ON by default for fresh installations.
        Enabling this setting will store the original raw copy of the event in Snare Archive (as SNAREORIGINALEVENT field), that is essential for the ability to replay the event in the future. 
      • Enable Event Replay - turned OFF by default. It can be turned on when user needs to configure and run a Replay Task.
        Replay runs as a separate service, and can be turned off when not in use.

        Please see the User Guide Configure Replay on how to configure and run Log Replay tasks. 

        setting comes with a tradeoff: 
        In order to replay the events, they must be stored with the copy of the original event, requiring this setting to be ON at the time of collection.
        Turning this setting ON will increase disk storage utilization, however users can still expect to achieve up to ~90% of disk storage savings through compression. Actual savings may vary depending on the log sources and ingested data format. 

        • For users who do not intend to use Replay of events from the Snare Archive to external destinations, we recommend to turn this setting OFF to save on storage space.
          Note: Replay will not be possible for the events collected while this setting is OFF.
        • For users who may need to use Replay of events from the Snare Archive to external destinations in the future, we recommend to turn this setting ON.


  • New Reflector output formats: 
    • Securonix Syslog - format based on Syslog RFC 3164, capable of removing duplicated hostname field that may appear in some events. Recommended for use when sending to a Securonix destination.

    • Splunk HEC - format for batched delivery of logs to a Splunk HTTP Event Collector (Splunk HEC) destination.
      Please refer to the User Guide Sending Logs to Splunk HEC page on how to configure a Splunk HEC destination.
      Field remapping templates are available for Windows audit events collected by Snare Central in SNARE or SNARE V2 format (MSWinEventLog and MSWinEventLog2 Log Types).

    • Microsoft Sentinel - format for batched delivery of logs to a Microsoft Sentinel destination over HTTPS.
      Please refer to the User Guide Sending Logs to Microsoft Sentinel page on how to configure a Microsoft Sentinel destination.
      Field remapping templates are available for Windows audit events collected by Snare Central in SNARE or SNARE V2 format (MSWinEventLog and MSWinEventLog2 Log Types), for seamless delivery to Azure native WindowsEvent table.
  • Ability to configure Field Remapping rules for Microsoft Sentinel and Splunk HEC destinations. 
    A new Fields Remapping page was added in Reflector allowing to define event content transformations in order to match the format expected by the destination. 
    User can opt to either create a customized mapping using provided functions, or use one of the available templates, such as
    • Microsoft Sentinel Security Event Remapping Template
    • Microsoft Sentinel Syslog Remapping Template
    • Microsoft Sentinel Windows Event Remapping Template
    • Splunk HEC Windows Event Remapping Template

           Please refer to the User Guide Fields Remapping page on how to create a field remapping, and how to use it in the Destination definition. 

         

  • New mutual TLS (mTLS) protocol was added to the Destination Configuration in the Reflector, including ability to upload the mTLS certificate and its chain of trust. This can be used for forwarding Snare Agent logs to Devo Syslog ELB
    Please refer to the User Guide Sending Logs to Devo Syslog ELB page on how to configure an mTLS destination.

  • New and improved Reflector User Interface
    • New Reflector menu item was added in Snare Central, replacing System > Administrative Tools > Configure Collector/Reflector



    • New Configure Destination page offers new way of defining filters, using System, LogType and text or regular expression selectors. 
      Please refer to the User Guide Configure Destination page for details.

 

    • Settings, About and Help pages were revamped. For details, please refer to the User Guide Reflector Settings page. 

  • Ability to ingest and parse NetFlow v5 Logs. These logs can be found in Snare Archive as NetflowV5Log log type.

  • Ability to ingest and parse CPU, Disk, Memory and Network Telemetry logs generated by Snare Agents for Windows and Linux, and received in either SNARE or SNARE v2 formats. 
    These logs can be found in Snare Archive as TelemetryLog log type.

    There are 34 new reports available for Windows and Linux Telemetry logs.

     Click here to expand the list of Reports...
    • Reports/TelemetryLog Events/Linux Telemetry Logs/CPU TelemetryLog Events:
           - CPU High System Time
           - CPU High User Time
           - CPU Low Idle Time

    • Reports/TelemetryLog Events/Linux Telemetry Logs/DSK TelemetryLog Events:
          - DSK High Read KB PerSec
          - DSK High Write KB PerSec
          - DSK Low Available Space in Gigabytes
          - DSK Low Available Space Percentage

    • Reports/TelemetryLog Events/Linux Telemetry Logs/MEM TelemetryLog Events:
          - MEM High Committed Memory In MB
          - MEM High Percentage of Committed MB in Use
          - MEM Low Available In MB

    • Reports/TelemetryLog Events/Linux Telemetry Logs/NET TelemetryLog Events:
          - NET High Percent RX Errors
          - NET High Percent TX Errors
          - NET High RX Bytes
          - NET High RX Errors
          - NET High RX Packets
          - NET High TX Bytes
          - NET High TX Errors
          - NET High TX Packets

    • Reports/TelemetryLog Events/Windows Telemetry Logs/CPU TelemetryLog Events:
           - CPU High Privileged Time
           - CPU High Processor Time
           - CPU High User Time
           - CPU Low Idle Time

    • Reports/TelemetryLog Events/Windows Telemetry Logs/DSK TelemetryLog Events:
          - DSK High Disk Read Per BytesSec
          - DSK High Disk Write Per BytesSec
          - DSK Low Free Megabytes
          - DSK Low Free Space

    • Reports/TelemetryLog Events/Windows Telemetry Logs/MEM TelemetryLog Events:
          - MEM Committed Memory In Bytes
          - MEM High Percentage Of Committed Bytes In Use
          - MEM Low Memory Available In MB

    • Reports/TelemetryLog Events/Windows Telemetry Logs/NET TelemetryLog Events:
          - NET High Bytes Received Per Sec
          - NET High Bytes Sent Per Sec
          - NET High Packets Inbound Errors
          - NET High Packets Outbound Errors
          - NET High Total Bytes Per Sec

  • Log collection from Cloud Providers
    Snare Central now allows to actively collect logs from VCN Flow for Oracle Cloud Infrastructure

    Licensed Feature

    This capability requires the Oracle Cloud Log Collection(IA_CLOUD_ORACLE) or Cloud Logs Collection (IA_CLOUD) license features.

    Snare Central can be configured to collect audit logs from the Oracle Cloud Infrastructure IAM.
    For instructions on how to configure log collection from Oracle Cloud Infrastructure, please refer to the User Guide Oracle VCN Flow - Cloud Log Collection Configuration
    Oracle Cloud logs will be classified in Snare Central as OracleVCNFlowLog log type.

    There is 1 new report available for Oracle VCN Flow logs.

     Click here to expand the list of Reports...
    • Reports/Cloud/Oracle Cloud Infrastructure/Oracle VCN Flow Logs:
           - VCN Flow Logs
  • Updated the SYSTEM value for all Office365AuditLogs to be based on the endpoint URL tied to a Subscription Plan (i.e. MANAGE.OFFICE.COM for Enterprise plan, per this Microsoft document: Office 365 Management Activity API reference > Activity API operations), rather than being based on a ClientIP, that can flood the system with massive number of unique SYSTEM values.
    A new setting Subscription plan was added to the configuration of Microsoft 365 collector, set by default to "Enterprise".

  • Integration with Microsoft Entra ID: Single Sign-on (SSO) and Multi-Factor Authentication (MFA) is now available in Snare Central for customers using Microsoft Entra ID (formerly known as Azure Active Directory, Azure AD). This can be enabled by the Administrator via Configuration Wizard > Identity and Access Management Setup
    When enabled, users will be able to log in to Snare Central with their MS Entra ID account.
    Local Administrator account can log in directly to manage the integration settings. 
    Please refer to the User Guide Appendix G - Creating a SSO and MFA OpenID Connect Integration with Microsoft Entra ID page for details.

  • Event Search: implemented lazy loading for Systems dropdown, helping to improve UI responsiveness for customers with very large number of systems sending logs.

  • Administrative Tools > Antivirus Administration page was redesigned and has a new look-and-feel

  • Added an option to "Disable sending reports on email body" under "Enable email distribution of report?" section in the "Set Objective Schedule" dialog.

  • Improved customized configuration handling on upgrade: during the upgrade, Snare Central overwrites apache, snmp, ssh, samba and ufw configuration files with the defaults necessary for correct functioning of the system. Snare Central will now keep a copy of the pre-upgrade config files with a .preupdate extension, and will present a message in the Health Checker to review and manually merge the files if needed.
    Note: any manual modifications to the above files are done at the user's discretion and are not covered by Snare product support.

  • Removed SSL option from Email Setup section in the Configuration Wizard, as it is no longer supported

  • Irrelevant and unused header action buttons were disabled

  • The button on 404 Not Found page has been renamed to "Go To Home Page" for users who don't have access to Executive dashboard, and to "Go To Executive Dashboard" for users with access

  • Added space between the Logout icon and the scroll bar to avoid mis-clicking

  • Removed "Changes log:" in Remote Management Status Check section in Health Checker, as it is not implemented

Security

  • System packages updated to mitigate security vulnerabilities.

    After upgrading to Snare Central v8.7.0, please reboot the server to apply kernel changes, as advised by Ubuntu.

  • Added Maximum Session Time setting under Config Wizard > Security Setup to enforce active session expiry after the configured time. By default, active session logout is not enabled.
    If configured to a value between 60 and 2880 minutes (48 hours), the user will be logged out and will be asked to log in again after the configured time, even if the session is active. Note: Inactivity logout functionality remains unchanged.

  • Restricted UI navigation to the Administrators-only pages, they are now accessible to Administrators only. In previous release, such pages could be available for non-admin users, even though their functionality was restricted.

  • Fixed a XSS (cross-site scripting) injection in the "Display the Snare Log File" objective

  • Fixed mechanism of passing session cookies to some Snare Agent Manager functions called from Snare Central

Bug Fixes

  • Optimized real-time queries file management, preventing the system from crashing and halting collection
  • Added cleanup for SnareIndex partition when there is no space left for index creation, preventing the system from crashing and halting
  • Optimized timing during 'snare stop' to ensure SAM completes dumping of data in datastore.dat before being terminated
  • Fixed incorrect categorization of Snare Enterprise Agent 5.10 for Windows in AMC and fixed the broken GUI link issue
  • Fixed a problem with the per user auto logout function not resetting the timer correctly, and logging out active user
  • "Remove" button on the Data Management Tools > Autoremove Data > Remove Now page is now enabled if user selects non-default value at least for one field (Date, System, Log Types). Previously both System and Log Type selection were required
  • Fixed an issue where reports may produce duplicated rows
  • Fixed the issue where the Status in the Dashboard and SC Heart icon could be in a different state than the Health Check page, if Anti-Virus check was already marked as ignored
  • Fixed Events Search to correctly display SNAREORIGINALEVENT field with no garbage characters
  • Fixed an issue where the reported status of a destination gets stuck on "Disconnected" even if it isn't
  • Prevented Backup and Restore from getting stuck in specific situations 
  • Fixed the bug wherein Refresh button is not working for several SC page for SuperUsers, PowerUsers and Default users
  • Fixed possible database corruption on upgrade
  • Improved clean-up of the old kernels remnant files in /boot
  • Fixed Elastic HTTP destination not draining events on disk cache when priority is set
  • Fixed lack of log rotation for SnareMonitor.log, that could grow without limit
  • Fixed styling issues caused by usage of Backup and Restore Scheduling component, that could affect Event Search and Login pages

User Guides

Offline version of the User Guide related to this release

Installation Guide for Snare Central