Appendix G - Capturing FAM / RAM Events

Owned by Svetlana Sheptiy
Last updated: Apr 19, 2023
2 min read

FAM and RAM functionality is available starting from Snare Agent for Windows v5.6.0


There needs to be performed following three steps, before Snare can capture the FAM / RAM events.

1. Enable FAM / RAM Events in Windows Security Policy

This step is done automatically in Snare Agents v5.7.1 or newer, assuming the following setting in General Configuration is checked: 

Open the Windows Security Policy (from Contrrol Panel / Administrative Tools on local machine or via GPO on Domain Control) and enable the following settings:

This setting will enable audting for all the system objects including the File system and Registry. This can flood the security log. Unless required, it is strongly recommended only turn on the auditing for the File system and Registry in "Advanced Audit Policy Configurations":


2. Enable Auditing on File / Folder / Registry

It is recommended to enable the following setting in "General Confguration" of the Snare Agent and then Snare can take care of enabling the auditing on File / Folder / Registry.


This setting can also be enabled manually by the user. In case, if user want to enable it manually then enable via following steps:

  • Rick click the File / Folder => Properties
  • Security tab => Advanced
  • Auditing tab => Add
  • Select auditing settings as per requirement

For registry: 

  • Right click => Permissions
  • Advanced 
  • Auditing tab => Add
  • Select auditing settings as per requirement


3. Create FAM / RAM Audit Policy

This can be done via creating FAM / RAM audit policy in Snare. See the details on "Audit Policy Configuration" page in documentation


Sequence of these three steps is not important. But Snare will not capture the FAM / RAM events untill all three steps are performed.