Critical System Protection

Is it possible to write a HIDS policy that can watch events coming from all agents? Like a correlation engine.  If so how?  Do I apply the policy to the CSP Manager only? What log would I monitor? The idea is that I can raise flags for certain criteria and if I find that event coming from multiple agents, I can alert on it. Currently, all rules appear to apply only to each agent.

Tim,

Is you question still open? I need to research this item a bit myself and will provide input.

Resolved.

I meant to follow up on this but you beat me to it. There is a Global Watch Policy included in the Policy packs. You have to leverage the Alerting module within the product. Create a new alert that will monitor for the specified criteria and write the alert to a file. Then apply the global watch policy to the CSP Server and configure it to watch that file. I have not tried this yet but will plan to. The policy description pretty much sums it up.

"Global watch policy is used to aggregate events coming from different systems. Using the Console, the alert module can be configured to generate an alert file that contains events of intereset. These events can potentially originate from differnt agents. The Global Watch policy can then be used to monitor the alert file and count events based on specified criteria. When one of the specified criteria is matched the policy records and event to the console. The Global Watch policy should be applied on the Critical System Protection server machine."

Yea I was working with a few custom policies that utilize the global watch function, very handy for correlation internally without the need for ancillary apps like SIM/Arcsight.