Skip to main content

Microsoft Windows (Snare Enterprise)

  • Updated

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.

Product

Samurai [Local] Collector 

Samurai [Cloud] Collector
Microsoft Windows (Snare Enterprise)

Picture1.svg

  
 

 

Use this document to install and configure Snare Enterprise for Windows - Standard Monitoring to send logs to NTT using the Samurai XDR Local Collector deployed on your network.

 

To complete this Integration you will need to:

1) Ensure the correct Network Access Requirements are configured

2) Install the Snare Enterprise Agent

3) Configure Snare

 

 

Network Access Requirements

Snare Enterprise for Windows – Standard Monitoring requires access to the Samurai XDR Local Collector on ports 514/TCP. In addition, the Snare Enterprise for Windows agent requires access to port 6262/TCP to connect to the Snare agent.

 

mceclip0.png The port 6262/TCP connection is initiated by both the Snare Agent Manager (SAM) and the agent itself. This means that the firewall ports will need to be open for traffic going both ways from this port.

 

 

Install the Snare Enterprise Agent

1. Launch the Snare Enterprise for Windows agent installation file. The setup wizard will guide through the installation process.

2. Click Next until you reach the Snare Auditing dialog box.

3. Click No and then click Next.

 

snare_audit.jpg

Figure 1 – Setup – Snare > Snare Auditing dialog box

 

4. For Service Account, click Use System Account.

 

snare_setup.jpg

Figure 2 – Setup – Snare > Service Account dialog box

 

mceclip0.png While the Local System Account is recommended, a local or Active Directory account may be used to run the Snare service. When using an Active Directory account, use the following syntax: user@domain.local.

 

The account will require the following permissions:

  • Ability to run Snare as a service
  • Read the Event Log
  • Initiate outgoing network connections
  • Bind to a port for utilising the web-based GUI
  • Provide the account with Admin privileges

 

5. Click Next

6. In the Web User Interface dialog box, perform the following steps:

  • Select Enable Web Access.
  • Click Yes – Please enter a password.
  • Specify a secure Password that will be used to log into the Snare configuration system after the installation is complete.
  • Select Local access only?

snare_webuserinterface.jpg

Figure 3 – Setup – Snare > Web User Interface dialog box

 

7. Click Next to accept the default installation path.

8. Click Next to accept the default Start Menu folder.

9. Click Install.

You have successfully installed the Snare Enterprise for Windows agent.

 

 

Configure Snare

After installing Snare Enterprise on your Windows device, use these instructions to configure Snare to communicate with the Samurai XDR Local Collector.

 

Network Configuration

Use this information for network configuration.

1. Click Start > All Programs > Intersect Alliance > Snare for Windows

> The Windows Security window appears.

2. Enter snare as the Username.

3. Specify the Password that was created during the installation process.

4. Click OK.

> The Snare for Windows – Status Page appears.

5. Click Destination Configuration from the list of options on the left of the page.

6. Under Network Destinations, perform the following steps:

  • Specify the IP address of the Samurai XDR Local Collector deployed on your network in the Domain/IP field
  • Enter 514 as the Port.
  • From the Protocol list, click TCP.
  • From the Format list, click SNARE.
  • From the Delimiter Character list, click Comma [ , ].
  • Click Update Destination.
  •  

Objectives Configuration

Use this information to configure new objectives.

1. On the left menu, click Objectives Configuration.

> The Snare Filtering Objective Configuration page appears.

2. Delete all the default objectives.

3. To add a new objective, click Add at the bottom of the page.

4. Perform the following steps:

 

snare_firstobjectives.jpg

Figure 4 – Configuring the first objective

 

  • From the Identify the high level event list, click Any event(s).
  • Select Exclude from the Event ID Search Team list and enter 538,562,4634,4656,4658,5145,5156.
  • For Identify the event types to be captured, select the options based on the operating system.
    • For Windows Vista, 2008, and 2012: Select Success Audit, Failure Audit, Information, Warning, Error, and Critical.
    • For all other operating systems: Select all the options in the list.
  • For Identify the event logs, select the options based on the device function.
    • For non-Domain Controllers: Select Security.
    • For Domain Controllers: Select Security, Directory Service, DNS Server, DFS Replication, and Legacy FRS.
    • For Windows Event Collection: Select Security, Directory Service, DNS Server, DFS-Replication, Legacy FRS, and Windows Forwarded Events.
  • For Select the Alert Level, click Critical.

mceclip0.png A criticality level may be assigned to enable the Snare user to designate audit events to their most pressing business security objectives, and to quickly identify the level of importance via the colored buttons. The Latest Events page will highlight the event in the selected color assigned to your objective.

 

snare_alertlevel.jpg

Figure 5 – Selecting the alert level for the first objective

  • Click Change Configuration.

5. Click Add to add the second objective.

6. Perform the following steps to configure the second objective:

  • From the Identify the high level event list, click Any event(s).
  • Select Include from the Event ID Search Team list and verify an asterisk (*) appears in the field.
  • For Identify the event types to be captured, select the options based on the operating system.
    • For Windows Vista, 2008, and 2012: Select Success Audit, Failure Audit, Information, Warning, Error, and Critical.
    • For all other operating systems: Select all the options in the list.
  • For Identify the event logs, select the options based on the device function.
    • For non-Domain Controllers: Select Security.
    • For Domain Controllers: Select Security, Directory Service, DNS Server, DFS Replication, and Legacy FRS.
    • For Windows Event Collection: Select Security, Directory Service, DNS Server, DFS-Replication, Legacy FRS, and Windows Forwarded Events.

 

snare_secondobjectives.jpg

Figure 6 – Configuring the second objective

 

  • For Select the Alert Level, click Information.

 

snare_alertlevel_secondobjective.jpg

Figure 7 – Selecting the alert level for the second objective

 

  • Click Change Configuration.

 

Configure Heartbeat

Use this information to configure and collect Heartbeat messages.

1. In Snare Enterprise Agent for Windows, click HeartBeat and Agent Log on the left navigation pane.

> The Snare HeartBeat and Agent Log Configuration page appears.

2. From the Agent Heartbeat Frequency list, click 15 minutes.

3. Click Change Configuration.

4. On the left pane, click Apply the Latest Audit Configuration.

 

Snare Agent Manager Configuration

Use these instructions to configure SAM.

1. On the left pane, click Access Configuration.

> The Access Configuration page appears.

2. Perform the following steps:

3. Specify the IP address or FQDN of the Snare Agent Manager for licensing in the Snare Agent Manager IP

4. Specify 6262 in the Snare Agent Manager Port field, if using the default port.

5. To save these settings, click Change Configuration.

6. On the left pane, click the Apply Configurations & Restart Service.

 

Auditing Configuration

NTT recommended audit requirements for Windows Operating System (OS) Audit Logging are shown in the table below:

Policy Security Setting

Audit Account Logon Events

Success, Failure
Audit Account Management

Success

Audit Directory Service Access

Success, Failure

Audit Logon Events

Success, Failure

Audit Object Access

Success, Failure

Audit Policy Change

Failure

Audit Privilege Use

Success, Failure

Audit Process Tracking

Failure

Audit System Events

Failure

Table 1 – Auditing Configuration

 

These settings can be found under Local Security Policy > Local Policies > Audit Policy.

 

mceclip0.png If your organization requires a compliance certification (for example, PCI and HIPAA), you should discuss the different monitoring service offerings with your designated compliance assessor (for example, QSA) to ensure ongoing compliance.

 

For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai XDR Application as we auto detect the vendor and product. The only reason you need to use the Samurai XDR Application is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning!  See Integrations for more information on checking status.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Article is closed for comments.