Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.
Product |
Samurai [Local] Collector |
Samurai [Cloud] Collector |
Microsoft Windows (Snare Enterprise) |
|
Use this document to install and configure Snare Enterprise for Windows - Standard Monitoring to send logs to NTT using the Samurai XDR Local Collector deployed on your network.
To complete this Integration you will need to:
1) Ensure the correct Network Access Requirements are configured
2) Install the Snare Enterprise Agent
Network Access Requirements
Snare Enterprise for Windows – Standard Monitoring requires access to the Samurai XDR Local Collector on ports 514/TCP. In addition, the Snare Enterprise for Windows agent requires access to port 6262/TCP to connect to the Snare agent.
The port 6262/TCP connection is initiated by both the Snare Agent Manager (SAM) and the agent itself. This means that the firewall ports will need to be open for traffic going both ways from this port.
Install the Snare Enterprise Agent
1. Launch the Snare Enterprise for Windows agent installation file. The setup wizard will guide through the installation process.
2. Click Next until you reach the Snare Auditing dialog box.
3. Click No and then click Next.
Figure 1 – Setup – Snare > Snare Auditing dialog box
4. For Service Account, click Use System Account.
Figure 2 – Setup – Snare > Service Account dialog box
While the Local System Account is recommended, a local or Active Directory account may be used to run the Snare service. When using an Active Directory account, use the following syntax: user@domain.local.
The account will require the following permissions:
- Ability to run Snare as a service
- Read the Event Log
- Initiate outgoing network connections
- Bind to a port for utilising the web-based GUI
- Provide the account with Admin privileges
5. Click Next
6. In the Web User Interface dialog box, perform the following steps:
- Select Enable Web Access.
- Click Yes – Please enter a password.
- Specify a secure Password that will be used to log into the Snare configuration system after the installation is complete.
- Select Local access only?
Figure 3 – Setup – Snare > Web User Interface dialog box
7. Click Next to accept the default installation path.
8. Click Next to accept the default Start Menu folder.
9. Click Install.
You have successfully installed the Snare Enterprise for Windows agent.
Configure Snare
After installing Snare Enterprise on your Windows device, use these instructions to configure Snare to communicate with the Samurai XDR Local Collector.
Network Configuration
Use this information for network configuration.
1. Click Start > All Programs > Intersect Alliance > Snare for Windows.
> The Windows Security window appears.
2. Enter snare as the Username.
3. Specify the Password that was created during the installation process.
4. Click OK.
> The Snare for Windows – Status Page appears.
5. Click Destination Configuration from the list of options on the left of the page.
6. Under Network Destinations, perform the following steps:
- Specify the IP address of the Samurai XDR Local Collector deployed on your network in the Domain/IP field
- Enter 514 as the Port.
- From the Protocol list, click TCP.
- From the Format list, click SNARE.
- From the Delimiter Character list, click Comma [ , ].
- Click Update Destination.
Objectives Configuration
Use this information to configure new objectives.
1. On the left menu, click Objectives Configuration.
> The Snare Filtering Objective Configuration page appears.
2. Delete all the default objectives.
3. To add a new objective, click Add at the bottom of the page.
4. Perform the following steps:
Figure 4 – Configuring the first objective
- From the Identify the high level event list, click Any event(s).
- Select Exclude from the Event ID Search Team list and enter 538,562,4634,4656,4658,5145,5156.
-
For Identify the event types to be captured, select the options based on the operating system.
- For Windows Vista, 2008, and 2012: Select Success Audit, Failure Audit, Information, Warning, Error, and Critical.
- For all other operating systems: Select all the options in the list.
-
For Identify the event logs, select the options based on the device function.
- For non-Domain Controllers: Select Security.
- For Domain Controllers: Select Security, Directory Service, DNS Server, DFS Replication, and Legacy FRS.
- For Windows Event Collection: Select Security, Directory Service, DNS Server, DFS-Replication, Legacy FRS, and Windows Forwarded Events.
- For Select the Alert Level, click Critical.
A criticality level may be assigned to enable the Snare user to designate audit events to their most pressing business security objectives, and to quickly identify the level of importance via the colored buttons. The Latest Events page will highlight the event in the selected color assigned to your objective.
Figure 5 – Selecting the alert level for the first objective
- Click Change Configuration.
5. Click Add to add the second objective.
6. Perform the following steps to configure the second objective:
- From the Identify the high level event list, click Any event(s).
- Select Include from the Event ID Search Team list and verify an asterisk (*) appears in the field.
-
For Identify the event types to be captured, select the options based on the operating system.
- For Windows Vista, 2008, and 2012: Select Success Audit, Failure Audit, Information, Warning, Error, and Critical.
- For all other operating systems: Select all the options in the list.
-
For Identify the event logs, select the options based on the device function.
- For non-Domain Controllers: Select Security.
- For Domain Controllers: Select Security, Directory Service, DNS Server, DFS Replication, and Legacy FRS.
- For Windows Event Collection: Select Security, Directory Service, DNS Server, DFS-Replication, Legacy FRS, and Windows Forwarded Events.
Figure 6 – Configuring the second objective
- For Select the Alert Level, click Information.
Figure 7 – Selecting the alert level for the second objective
- Click Change Configuration.
Configure Heartbeat
Use this information to configure and collect Heartbeat messages.
1. In Snare Enterprise Agent for Windows, click HeartBeat and Agent Log on the left navigation pane.
> The Snare HeartBeat and Agent Log Configuration page appears.
2. From the Agent Heartbeat Frequency list, click 15 minutes.
3. Click Change Configuration.
4. On the left pane, click Apply the Latest Audit Configuration.
Snare Agent Manager Configuration
Use these instructions to configure SAM.
1. On the left pane, click Access Configuration.
> The Access Configuration page appears.
2. Perform the following steps:
3. Specify the IP address or FQDN of the Snare Agent Manager for licensing in the Snare Agent Manager IP
4. Specify 6262 in the Snare Agent Manager Port field, if using the default port.
5. To save these settings, click Change Configuration.
6. On the left pane, click the Apply Configurations & Restart Service.
Auditing Configuration
NTT recommended audit requirements for Windows Operating System (OS) Audit Logging are shown in the table below:
Policy | Security Setting |
Audit Account Logon Events |
Success, Failure |
Audit Account Management |
Success |
Audit Directory Service Access |
Success, Failure |
Audit Logon Events |
Success, Failure |
Audit Object Access |
Success, Failure |
Audit Policy Change |
Failure |
Audit Privilege Use |
Success, Failure |
Audit Process Tracking |
Failure |
Audit System Events |
Failure |
Table 1 – Auditing Configuration
These settings can be found under Local Security Policy > Local Policies > Audit Policy.
If your organization requires a compliance certification (for example, PCI and HIPAA), you should discuss the different monitoring service offerings with your designated compliance assessor (for example, QSA) to ensure ongoing compliance.
For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai XDR Application as we auto detect the vendor and product. The only reason you need to use the Samurai XDR Application is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.
Comments
0 comments
Article is closed for comments.