About Halo Log-Based Intrusion Detection

The CloudPassage Halo log-based intrusion detection system (LIDS) is a Halo security module that allows you to monitor server log files for events of interest, and receive alerts when such events occur. The module is available to Halo users on both Linux and Windows platforms.

When enabled and configured, this module detects selected important events that are recorded in any number of system or application log files on any of your servers. If you also enable Halo alerting, you can receive near-real-time alerts when the highest-priority events are logged.

Event detection in this feature is policy-driven—the events that are to be considered indicators of intrusion are specified (by event ID or by event-message text pattern) in a policy that is assigned to a server group that is being monitored for intrusion. Every detected event occurrence is logged as a Halo security event that can be viewed in the Halo portal, retrieved through the Halo API, and exported to third-party tools for further analysis. The policy also specifies which events are to generate Halo alerts.

A key advantage of log-based intrusion detection is its light impact. Because only specific, high-value events are logged into Halo, the massive gathering, storage, and analysis of voluminous events from hundreds to thousands of log files is avoided.

With log-based intrusion detection you can continually monitor the security of all of your server systems and applications, and be certain that you will be notified whenever specific events of critical importance occur anywhere in your server infrastructure.

How It Works

Halo's log-based intrusion detection system leverages Halo's built-in distributed scanning architecture and policy-based security analytics to detect and report on the most recent events of interest soon after they are written to any of the log files that you specify, on any sets of servers that you want.

To specify which events should be monitored, you create a log-based intrusion detection policy. Like other Halo policies, it consists of rules that are applied to an object being scanned on a server. In this case, each rule includes (1) the path to the log file to scan, (2) the event message or ID to look for (specified with a search pattern), and (3) whether to send a Halo alert when this event is detected.

To specify which servers to monitor, you assign the log-based intrusion detection policy to one or more server groups.

Note:  The scanning frequency for Halo log-based intrusion detection is fixed, at 5 minutes. This frequency provides near-real-time reporting and alerting on events, without negatively impacting the performance of your servers.

Also, to prevent "event overload" during a scan, Halo reports a maximum of fifty events (rule matches) for any one policy rule in a given log file. Additional events that match that rule are ignored for that scan.

All occurrences of log events that you specify are saved as Halo events (that include the complete original event message, whether text or XML), so that you can search for and view them on the Security Events History page of the Halo Portal.

To perform deeper analyses on these events, especially in relation to other events across your installations that might not be monitored by Halo log-based intrusion detection, you may wish to integrate these Halo events into whatever log-management and analysis or SIEM solutions your organization uses, as described next.

Integrating Log-Based Intrusion Detection with SIEM tools

If your organization already uses log-management, log-analysis or SIEM tools such as Splunk, Sumo Logic, ArcSight, or RSA enVision, you can leverage their power by integrating Halo log-based intrusion detection with them.

By automatically extracting event data from Halo and feeding it into your SIEM solution, you'll gain the advantages of both types of systems: Halo log-based intrusion detection will alert you directly and immediately to the occurrence of events of critical importance, and then your log-analysis tool can evaluate the relationships among those events and any others that may be occurring anywhere in your network, perhaps uncovering additional evidence of intrusion or attack.

To perform the integration, you can develop your own scripts using the Events portion of the CloudPassage REST API, or you can take advantage of existing tools created for this purpose and posted to the Halo Toolbox on GitHub. For example, full code and instructions for integrating with Splunk, Sumo Logic, ArcSight and other tools are available at https://github.com/cloudpassage/halo-event-connector-python.

Implementing Log-Based Intrusion Detection Through the API

The log-based intrusion detection portion of the Halo REST API includes calls that allow you to develop or extend an application to manipulate log-based intrusion detection policies. You'll be able to automate the creation, assignment, and management of your policies from within your own software tools.

The API includes methods to perform the following tasks:

• List log-based intrusion detection policies
• Get a single log-based intrusion detection policy
• Create a new log-based intrusion detection policy
• Delete a log-based intrusion detection policy
• Update a log-based intrusion detection policy
• Assign a log-based intrusion detection policy to a server group
• Remove a log-based intrusion detection policy from a server group

Beyond these tasks, you can also use the Halo API to pass log-based intrusion detection events to a log-management or SIEM system, as noted in the previous section.

For details on the above methods, and for complete information on using the CloudPassage API, see Log-Based Intrusion Detection Policies and the rest of the Halo REST API Developer Guide.