Working with LevelBlue HIDS Rules

Applies to Product: USM Appliance™ LevelBlue OSSIM®

LevelBlue HIDS expands from the open source project, OSSEC, by providing additional rules that are essential to identifying HIDS issues. The table below lists all the LevelBlue-specific rules that USM Appliance provides out of the box.

LevelBlue HIDS Rules
Rule File Name Rules Purpose

Enabled by Default

 Rule File Dependency Windows Event ID Matched
alienvault-apache_rules.xml Rules for Apache HTTP Server No apache_rules.xml N/A
alienvault-directory-service_rules.xml Detect changes of directory service objects in Active Directory on Windows Yes msauth_rules.xml 5136, 5137, 5138, 5139, 5141
alienvault-domain_rules.xml Detect changes in the Domain Admins group on Windows Yes msauth_rules.xml SID: S-1-5-21 domain 512, 518, and 519
alienvault-linux-USB_rules.xml Detect new USB devices on Linux No None N/A
alienvault-linux-pam_rules.xml Detect SSHD authentication on Linux No None N/A
alienvault-mssql_rules.xml Rules for Microsoft SQL Server No msauth_rules.xml 14151, 18265, 33205
alienvault-network-login-failure_rules.xml Detect failed logon attempts on Windows No msauth_rules.xml 46251
alienvault-sam-express_rules.xml Rules for SAM (SafeNet Authentication Manager) Express No msauth_rules.xml N/A
alienvault-web-access_rules.xml Rules to supplement the default web access rules No web_rules.xml N/A
alienvault-windows-ADFS-servers_rules.xml Rules for Active Directory Federation Services on Windows No msauth_rules.xml 1102
alienvault-windows-DHCP_rules.xml Detect DHCP lease actions on Windows No ms_dhcp_rules.xml DHCP server event 10, 11, 12, 13, 16, 17, 18, 20, 21, 23, 30, 32
alienvault-windows-FIM_rules.xml Detect file changes on Windows Yes msauth_rules.xml 4659
alienvault-windows-USB_rules.xml Detect new USB devices on Windows Yes ossec_rules.xml N/A
alienvault-windows-access_rules.xml Detect Object Access issues on Windows No msauth_rules.xml 4656, 4662, 4673, 4674
alienvault-windows-account-security_rules.xml Detect account activities on Windows No msauth_rules.xml 4720, 4722, 4725, 4726, 4738, 4781
alienvault-windows-applocker_rules.xml Detect AppLocker activities on Windows No msauth_rules.xml 8002, 8003, 8004, 8005, 8006, 8007
alienvault-windows-capacity_rules.xml Detect capacity issues on Windows No msauth_rules.xml 2013
alienvault-windows-defender_rules.xml Rules for Windows Defender No msauth_rules.xml, ms-se_rules.xml 1000, 1001, 1116, 1117, 5007
alienvault-windows-filtering_rules.xml Rules for Windows Filtering Platform (WFP) No msauth_rules.xml 5152
alienvault-windows-group-changes_rules.xml Detect Security group changes in Active Directory on Windows No msauth_rules.xml 4735, 4737, 4755
alienvault-windows-logon-logoff_rules.xml Detect machine log on/off attempts on Windows Yes msauth_rules.xml N/A
alienvault-windows-password-change-rules.xml Detect password change attempts on Windows No msauth_rules.xml 4723, 4724
alienvault-windows-powershell_rules.xml Rules for Windows PowerShell commands No msauth_rules.xml 800
alienvault-windows-process_rules.xml Detect new processes on Windows No msauth_rules.xml 4688, 4689
alienvault-windows-service-control-manager_rules.xml Rules for Service Control Manager (Windows) No msauth_rules.xml 7036, 7045
alienvault-windows-shutdown_rules.xml Detect power off attempts on Windows No msauth_rules.xml 1074
alienvault-windows-workstation-logon-logoff_rules.xml Detect user logon/off attempts on Windows Yes msauth_rules.xml 528, 540, 672, 673, 4624, 4672, 4768, 4769, 4771
local_rules.xml A file to hold user-defined HIDS rules. it contains a sample rule initially. Yes None by default N/A

LevelBlue delivers new HIDS rules or fixes to existing rules through the bi-weekly The Threat Intelligence Updates. For a complete list of rules enabled by default, go to Environment > Detection > HIDS > Config > Rules. USM Appliance displays the enabled rules on the left and disabled rules on the right.

Enable/Disable HIDS rules in USM Appliance web UI

You can enable more rules based on your business needs. See Enabling / Disabling LevelBlue HIDS Rules.

Additionally, you can edit existing rules or create your own so that they work better in your environment. See Editing / Creating Custom Rules for LevelBlue HIDS.

Enabling / Disabling LevelBlue HIDS Rules

Before deciding whether to enable or disable an LevelBlue HIDS rule, you will want to understand what the rule does first. USM Appliance allows you to view the entire rule file from the web UI.

Note: LevelBlue HIDS rules are read-only. You cannot change them.

To view a HIDS rule file

  1. Go to Environment > Detection > HIDS > Edit Rules.

    Viewing a HIDS rule file in USM Appliance web UI

  2. Select the rule file from the drop-down list.
  3. Click the plus (+) sign to extend the nodes, or click a node to display the details in the right column.

  4. Alternatively, click the Rule Editor tab to see the rule file in XML format.

    Viewing HIDS rules in XML format

Some rules depend on other rules to find their matching events first. Therefore, before you enable a rule, make sure that the dependent rule (as shown in the Rule File Dependency column in the LevelBlue HIDS Rules table) has been enabled. For example, the alienvault-windows-defender_rules.xml file depends on both msauth_rules.xml and ms-se_rules.xml files. While msauth_rules.xml is enabled by default, ms-se_rules.xml is not. Therefore, you must enable ms-se_rules.xml first, and then alienvault-windows-defender_rules.xml.

To enable or disable an LevelBlue HIDS rule

  1. Go to Environment > Detection > HIDS > Config > Rules.

  2. To enable a rule, type the name of the rule in the search box.

    The number of available rules reduces as you type and USM Appliance finds the match.

  3. To locate the rule, either drag the file to the left column or click the plus (+) sign next to the rule.
  4. To disable a rule, locate the file in the left column. Either drag the file to the right column or click the minus (-) sign next to the rule.
  5. Click Save.

  6. You must restart the HIDS Service for the changes to take effect:

    • On the same page, click the HIDS Control tab, and then click Restart on the resulting page.

Editing / Creating Custom Rules for LevelBlue HIDS

You are not allowed to change any of the LevelBlue HIDS rules, but you can create your own rules to detect HIDS issues in your environment. LevelBlue recommends that you put your rules in the local_rules.xml file, which is enabled by default and loaded at last so that it is not overwritten by the other rule files. You can add or remove rules from local_rules.xml in the web UI.

To create or modify a custom HIDS rule

  1. Go to Environment > Detection > HIDS > Edit Rules.
  2. Select local_rules.xml from the drop-down list.

  3. Click group name="local,syslog," to display the details in the right column.

    A sample rule with id 150000 displays.

    Cloning a rule in the local_rules.xml file

  4. Click the clone rule icon (Clone HIDS rule icon) to clone the sample rule.

    Another rule with rule id 150000 displays.

  5. Click Save.

    Note: Save your new rule in order to make changes to it.

  6. Click the edit rule icon (Edit HIDS rule icon) next to the newly created rule.

    The details of the rule display.

  7. Change the id so that it is unique.

    Important: A valid custom rule ID for LevelBlue HIDS is between 190,000 and 199,999. LevelBlue reserves other ranges for its internal usage.

  8. Change the other attributes as needed. Use the add icon (Add HIDS rule/attribute icon) to add an attribute or a node. Use the delete icon (Delete HIDS rule/attribute icon) to remove an attribute or a node.

    In the example below, we have changed the rule id to 150001 and srcip to 2.2.2.2. We have updated the description as well.

    Editing HIDS rule attributes

  9. If you need to add an attribute for any of the nodes, click the show icon (Show HIDS attributes icon) to display the attributes for that node.

  10. Alternatively, if you prefer to use the XML format, click the Rule Editor tab and enter your rule directly.

    Edit rule attributes in XML

  11. Click Save after you have made all the changes.

  12. You must restart the HIDS Service for the changes to take effect:

    • On the same page, click the HIDS Control tab, and then click Restart on the resulting page.

The procedure above shows how to add a new rule to the existing group. If you want to add a new group instead, use the Rule Editor and enter the XML codes directly. For example:

Adding a new group in local_rules using Rules Editor

Important: Do not add a group without a rule in it. LevelBlue HIDS will not restart with an empty group in local_rules.xml.

AlienVault OSSIM Limitations: Both LevelBlue OSSIM and the USM Appliance HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that USM Appliance and LevelBlue OSSIM provide. However, LevelBlue OSSIM lacks the depth of NIDS information that is provided to USM Appliance through the Threat Intelligence Updates.