Ingest Logs from BeyondTrust Privilege Management Cloud

Extend Cortex® XDR™ visibility into logs from BeyondTrust Privilege Management Cloud.
Ingesting logs and data requires a Cortex XDR Pro per TB license.
If you use BeyondTrust Privilege Management Cloud, you can take advantage of Cortex® XDR™ investigation and detection capabilities by forwarding your logs to Cortex XDR. This enables Cortex XDR to help you expand visibility into computer, activity, and authorization requests in the organization, correlate and detect access violations, and query BeyondTrust Endpoint Privilege Management logs using XQL Search.
As soon as Cortex XDR starts to receive logs, Cortex XDR can analyze your logs in XQL Search and you can create new Correlation Rules.
To integrate your logs, you first need to configure SIEM settings and an AWS S3 Bucket according to the specific requirements provided by BeyondTrust. You can then configure data collection in Cortex XDR by configuring an Amazon S3 data collector for a generic log type using the
Beyondtrust Cloud ECS
log format.
Before you begin configuring data collection verify that you are using BeyondTrust Privilege Management Cloud version 21.6.339 or later.
Configure BeyondTrust Privilege Management Cloud collection in Cortex XDR.
  1. Configure SIEM settings and an AWS S3 Bucket according to the requirements provided in the BeyondTrust documentation.
    Ensure that when you add the AWS S3 bucket in the PMC and set the SIEM settings, you select
    ECS - Elastic Common Schema
    as the
    SIEM Format
    .
  2. Configure BeyondTrust logs collection with Cortex XDR using an Amazon S3 data collector for generic data.
    Ensure your Amazon S3 data collector is configured with the following settings.
    • Log Type
      —Select
      Generic
      to configure your log collection to receive generic logs from Amazon S3.
    • Log Format
      —Select the log format type as
      Beyondtrust Cloud ECS
      .
      For a
      Log Format
      set to
      Beyondtrust Cloud ECS
      , the following fields are automatically set and not configurable.
      • Vendor
        Beyondtrust
      • Product
        Privilege Management
      • Compression
        Uncompressed
  3. After Cortex XDR begins receiving data from BeyondTrust Privilege Management Cloud, you can use XQL Search to search your logs using the
    beyondtrust_privilege_management_raw
    dataset that you configured when setting up your Amazon S3 data collector.

Recommended For You