Current release, (date) 2026
Cloud sources: O365, AWS, Oracle
Event format support for aggregation
High Availability built-in
Security teams are drowning. Not in threats, in data.
SIEM ingestion costs spiral as log volumes grow. Analysts waste hours on duplicate alerts. Cloud sprawl means visibility gaps. Snare Central solves all three.
01, SIEM costs out of control
Every duplicate event you forward adds to ingestion costs. Without aggregation at the collection layer, you’re paying your SIEM vendor to store noise.
02, Surgical precision of your log data
Improvements to Field remapping, Event replay and multi-tenant destinations offer complete control and flexibility to customers. Reduce log payloads by removing unnecessary fields, rename or extract important information using “RegexExtract” or use Replay to control the flow of archived data into your security & threat analysis solution.
03, Endpoint agent sprawl
Managing thousands of Snare Agents across your estate, configurations, licences, upgrades, requires a central orchestration point, not manual remote sessions.
Built for the scale of enterprise security operations.
Improved parsers developed under our Google partnership ensure tight integration and utility of Snare data across the SecOps platform.
(Integration) Replay historical events directly to your Microsoft Sentinel workspace, critical for post-incident investigation, reducing costs and satisfying compliance audit requirements.
(Enhancement) Apply field remapping to Syslog 5424 JSON and Generic JSON destinations. New RegexExtract function, enhanced Splunk CIM templates, and a per-Log-Type “Send / Do Not Send Unmapped Fields” toggle give you surgical control over what reaches your SIEM.
Consolidates duplicate or similar events from the same source into a single enriched event within a configurable time window. Rules are defined per Log Type, Event ID, or specific field values, all without losing event fidelity. Reduces SIEM ingestion volume and cost. Supports all event formats. Configurable per destination and log type. Enriches events with aggregation metadata.
(Security) A new Manage Certificates page in the Reflector UI allows upload, view, and deletion of TLS certificates. mTLS destination configuration now references pre-uploaded certificates. Strict certificate chain validation is now configurable.
(MSSP · Core) Create multiple destinations with identical connection details to serve different cloud tenancies or endpoints. Destination statistics persist across renames and configuration changes. Destination names now support spaces and special characters.
(Operations) A new Agent Event Volumes Sensitivity setting (1σ–3σ) lets SOC teams tune event-surge alert thresholds to match their environment’s baseline, dramatically reducing alert fatigue without compromising detection coverage.
Consolidates duplicate or similar events from the same source into a single enriched event within a configurable time window. Rules are defined per Log Type, Event ID, or specific field values, all without losing event fidelity. Reduces SIEM ingestion volume and cost. Supports all event formats. Configurable per destination and log type. Enriches events with aggregation metadata.
Create multiple destinations for the same SIEM endpoint, one per client tenancy. Per-destination statistics persist independently, even when connection details change.
Snare Agent Manager (SAM v2.2.1) provides centralised configuration, licence management, remote upgrade, and network-scan-based agent discovery across all managed endpoints, no console access required.
The Executive Dashboard surfaces events-per-second and bytes-per-second telemetry per destination, for simplified monitoring. Consolidated scheduled reports now include email body content.
Snare Central fetches the latest SSO provider groups on every administrator login, ensuring access control reflects your IdP in real time, critical for MSSPs managing staff turnover across clients.
Connect to the destinations your SOC already uses.
Snare Central forwards enriched events to the leading SIEM and analytics platforms, with native field mapping and authentication support.
Microsoft Sentinel (SIEM · Cloud) Native forwarding with field remapping and full Event Replay support for historical investigation and detection rule testing.
Splunk (HEC + CIM) (SIEM · On-prem / Cloud) HTTP Event Collector with enhanced Splunk CIM field mapping for Windows events and configurable unmapped-fields handling.
Google SecOps – Enhanced parsers for Google SecOps and the unified data model (UDM) ensure Snare data is tightly integrated into the platform.
Securonix, Taegis, QRadar and more– Tight integration and built-in parsers ensure Snare data can deliver to one or more destinations seamlessly. Ensuring data arrives in the correct format, triggers the right detections and drives the right outcomes.
Microsoft Office 365 (Cloud Log Source) Collect audit, activity, and security logs from your Microsoft 365 tenants directly into Snare Central for normalisation and forwarding.
Amazon Web Services (Cloud Log Source) Ingest CloudTrail, GuardDuty, VPC Flow Logs, and other AWS log sources via the Cloud Logs Collection module.
Oracle Cloud Infrastructure (Cloud Log Source) Collect and normalise Oracle Cloud audit and service logs alongside your existing cloud and on-premises sources in a single pipeline.
Syslog RFC 5424 / Generic JSON (Syslog · Generic) Forward to any syslog-compatible destination or generic JSON endpoint. Field remapping is fully supported for both formats in v8.8.0.
Snare Agent (Windows, Linux, macOS) (Endpoint · Agent) Managed remotely via SAM v2.2.1. Remote config, licence management, upgrade, and network-scan-based discovery. Supports agents v5.4.0+.
SSO / SAML Providers (Identity) Configurable SSO provider integration with live group sync on each administrator login, ensuring permissions always reflect your IdP state.
Hardened for regulated environments.
Snare Central ships with security controls that matter to CISOs operating in regulated industries, from certificate chain validation to system package patching.
mTLS & Certificate Chain Validation Full mutual TLS support for all outbound SIEM connections. Strict Certificate Checking validates the entire chain, not just the leaf certificate.
System Package Patching v8.8.0 updates system packages to mitigate known vulnerabilities and applies kernel changes requiring a post-upgrade reboot, in line with Ubuntu security advisories.
Hardened User Management Improved input validation for local user creation. SSO group membership is refreshed live on login to prevent privilege drift after directory changes.
File Integrity & Health Monitoring Health Checker’s File Integrity report now correctly filters out files that change during normal operation, surfacing only genuine integrity violations.
See Snare Central in your environment.
Talk to a solutions engineer about your log management architecture, SIEM costs, and how Snare Central can reduce both.
What is Snare Central and what problem does it solve?
Snare Central is an enterprise log management and security event forwarding platform. It sits between your log sources, endpoints, cloud services, and network infrastructure, and your SIEM. Its core job is to collect logs at scale, normalise and enrich them, reduce volume through aggregation, de-duplication and filtering, and forward high-fidelity data to destinations like Microsoft Sentinel, Splunk, Securonix, Google SecOps etc. The result is dramatically lower SIEM ingestion costs, higher analyst signal-to-noise ratios, and full visibility across hybrid environments.
How does Snare Central reduce SIEM ingestion costs?
The Log Aggregation and De-duplication feature (introduced in v8.8.0) consolidates duplicate or similar events from the same source into a single enriched event within a configurable time window. Aggregation rules are defined per destination based on Log Type, Event ID, or specific field values. The original event detail is preserved in aggregation metadata, so nothing is lost, only the volume forwarded to your SIEM is reduced.
Is Snare Central suitable for MSSPs managing multiple clients?
Yes. Snare Central v8.8.0 explicitly supports multi-tenancy destinations for MSSPs. You can create multiple destinations with the same connection details to serve separate client tenancies. Each destination maintains independent statistics that persist even when names or connection details change. Snare Agent Manager provides centralised remote management of endpoint agents across all tenants, and the Executive Dashboard provides per-destination telemetry suitable for client-facing reporting.
What cloud log sources does Snare Central collect from?
Snare Central’s Cloud Logs Collection module supports Microsoft Office 365, Amazon Web Services (AWS), and Oracle Cloud Infrastructure. Cloud logs are collected, normalised, and fed into the same enrichment, aggregation, and forwarding pipeline as endpoint and network logs.
Does Snare Central Support High Availability deployments?
Yes. Snare Central includes a High Availability configuration module. v8.8.0 adds IP uniqueness validation in the HA configuration to prevent accidental misconfiguration. HA deployments are recommended for enterprise environments where log collection continuity is a compliance requirement.
What SIEM platforms does Snare Central integrate with?
Snare Central forwards to Microsoft Sentinel (with full Event Replay support), Splunk via HEC (with enhanced Splunk CIM field mapping for Windows events), Securonix, Elasticsearch (bundled for analytics and threat intelligence), QRadar (on-premises), Secureworks, Tagis, Google SecOps and any Syslog RFC 5424 or Generic JSON destination. Field remapping is supported for all destination formats as of v8.8.0.
