09/18/2025: Agent-Based Decryption Feature (ALKS)

Overview

Fortra’s Alert Logic has introduced new functionality for Managed Detection & Response (MDR) customers, delivering greater visibility into network traffic sent from the Agent to the IDS Appliance. Traditionally, IDS analysis of HTTPS traffic required TLS key management within the Alert Logic console and users were required to disable Diffie-Hellman key exchange.

With this update and the requirements below met, the IDS Appliance can now decrypt TLS (including TLS 1.3) and therefore HTTPS traffic from the Agent, without requiring customers to manage keys in the console or disabling Diffie-Hellman key exchange.

This enhancement enables the IDS Appliance to inspect encrypted traffic for potential threats, significantly improving visibility and strengthening overall security posture by exposing risks that would otherwise remain hidden.

Enablement

You can enable this feature in the Assets console at the Deployment level within the configuration section. Once enabled, no additional steps are required.

Investigate > Assets > Deployments

A screenshot of a computer AI-generated content may be incorrect.

After enabling this feature for a deployment, it will automatically apply to all supported agents within that deployment. Decryption will only be possible on supported agents when data is processed by a compatible TLS library, as described in the Requirements section.

Requirements:

This feature requires the following:

  • Linux Host with the Alert Logic Agent (x86 and ARM64)
  • OpenSSL installed, the following versions are currently supported:
    • 1.0.2k
    • 1.1.1(a-v)
    • 3.0.0 – 16 (excluding .6)
    • 3.1.0 – 8 (excluding: .7)
    • 3.2.0,1,2,4
    • 3.3.0,1,2,3
    • 3.4.1c (Not 3.4.0)
  • Alert Logic IDS Security Appliance

Implementation notes:

  • We do not recommend enabling this feature in environments that require PCI or HIPAA compliance, as decrypted traffic may expose sensitive data (including PII) to inspection. Customers operating in regulated environments should carefully assess compliance requirements before enabling this functionality.
  • eBPF support must be enabled (default in many Linux distributions).
  • SELINUX, seccomp, kernel lockdown, Falco, or any endpoint protection software could prevent the agent from running (due to the Agent's ebpf/syscall functionality interacting with other security software).
  • This feature is not available on Windows hosts or container environments at this time.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Copyright ©2023 Alert Logic, Inc.
All rights reserved. | Legal