LevelBlue HIDS

Applies to Product: USM Appliance™ LevelBlue OSSIM®

The LevelBlue HIDS included in the USM Appliance provides the following features:

  • Log monitoring and collection
  • Rootkit detection
  • File integrity monitoring
  • Windows registry integrity monitoring
  • Active response that can run applications on a server in response to certain triggers, such as specific alerts or alert levels

LevelBlue HIDS uses a server/agent architecture, where the HIDS agent resides on hosts you want to monitor; and the HIDS server resides on the USM Appliance Sensor. The USM Appliance Sensor receives events from the HIDS agents, normalizes them, and sends them to the USM Appliance Server for analysis, correlation, and storage. LevelBlue HIDS also has some limited support for agentless operation on Linux for log retrieval only.

You need to deploy the HIDS agents to client systems. The HIDS agent runs as a continuous in-memory service, interacting with the USM Appliance Sensor through UDP port 1514. The USM Appliance Sensor generates and distributes a pre-shared key to the HIDS agents, which then use the key to authenticate the communication between the HIDS agents and the USM Appliance Sensor.

AlienVault HIDS diagram

AlienVault HIDS diagram

While HIDS agents are ideal for collecting Windows Security and System event logs, it is more effective to use NXLog to collect Application logs on Windows. LevelBlue provides NXLog plugins for Microsoft IIS, Microsoft DHCP Server, Microsoft Exchange Server, and Microsoft SQL Server. For a complete list, see NXLog Plugins.

AlienVault OSSIM Limitations: Both LevelBlue OSSIM and the USM Appliance HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that USM Appliance and LevelBlue OSSIM provide. However, LevelBlue OSSIM lacks the depth of NIDS information that is provided to USM Appliance through the Threat Intelligence Updates.