The Snare Agents collect all application, system and custom event logs by default, and only filter out some specific classes of Security events that are noisy and generally provide no forensic value. These logs can include a lot of good forensic intelligence related to system activity. Snare Central has several “out of the box” reports that facilitate reporting on suspicious activities.
Reports\Operating Systems\Administrative Activity\Windows\Audit Log Cleared – Searches for event 1102 on modern systems, 517 and 104 on older OS versions. This is often a tactic used from someone malicious trying to mask their tracks.
Reports\Operating Systems\Administrative Activity\Windows\Accounts Added or Removed – Searches for 4720 and 4726 for accounts being added or removed. Often used after an exploit has been run to gain direct access to the systems as a normal privileged user.
Reports\Operating Systems\Administrative Activity\Windows\Audit Policy Changes – Searches for 4719 for system policy changes which could be part of weakening system policies.
Reports\Operating Systems\Administrative Activity\Windows\Group Changes – Searches for many Windows group events related to making changes to group permissions and settings.
Reports\Operating Systems\Administrative Activity\Windows\Group Member Changes – Searches for many Windows group events related to new members being added or removed to groups.
Reports\Operating Systems\Administrative Activity\Windows\Groups Added or Removed – Searches for many Windows group events related to new groups being added or removed.
Reports\Operating Systems\Administrative Activity\Windows\User Account Changes – Searches for many Windows user based events related to account permissions being changes or added to new groups.
Reports\Operating Systems\Windows Incidents cover some other reporting areas of incident detection for Administrative Activity, File and Resource Access, Process Monitoring, Sysmon Activity, Windows DNS which can help with IOC detection.