BeyondTrust

Overview

Table name: beyondtrust_events

Returns information about events that happened on one of the agents. Events include relevant agent information as well as information on the service accessed. More information on the event types can be found here.

Send data to Hunters

Hunters supports the collection of logs from BeyondTrust using API.

To connect BeyondTrust logs:

1. Acquire the Domain value from BeyondTrust as described here.

2. Create a ClientSecret and ClientID, granting the relevant scope permissions as described here.

   ⚠️ Attention

   To enable each of the supported data types, a relevant Scope needs to be added to the Bearer Token upon creation. Make sure to add the relevant scopes with respect to the data that needs to be onboarded.

3. Complete the process on the Hunters platform, following this guide.

Expected format

Logs are expected in JSON format.

{"agent":{"version":"12.1.123.1","id":"12345-f392-407b-bd10-abcd"},"@timestamp":"2023-11-07T08:48:43+00:00","client":{},"dll":{"pe":{}},"event":{"id":"abcd-f88b-4aa9-9041-12345","code":"123","action":"process-start-no-change","ingested":"2023-11-07T08:49:02.8132306+00:00"},"file":{"path":"c:\\windows\\syswow64\\abcd\\v1.0\\powershell.exe","owner":"TrustedInstaller","DriveType":"Fixed Disk","ProductVersion":"10.0.12345.1","hash":{"md5":"ABCDEF7F28F462EC7AAE2250F","sha1":"ABCDEF143BB778597B0F914D13073B4","sha256":"ABCDEF12345AB54A3CA570C2673E0034BDD4DF91A0B712345"},"pe":{"file_version":"10.0.1234.1 (WinBuild.1234.0800)","description":"Windows PowerShell","product":"Microsoft® Windows® Operating System"},"Bundle":{},"Owner":{"Identifier":"S-1-5-80-12345-3418522649-1234-123-12345","Name":"TrustedInstaller","DomainIdentifier":"S-1-5-80","DomainName":"NT ABC","DomainNetBIOSName":"NT ABC"},"code_signature":{"subject_name":"Microsoft Windows"}},"group":{},"host":{"hostname":"ABC-ABC-ZOOM","name":"ABC-ABC-ZOOM","id":"S-1-5-21-12345-413027322-1801674531-123","ip":[],"domain":"corp.abc.com","DomainIdentifier":"S-1-5-21-12345-123-","NetBIOSName":"ABC-KARL-ZOOM","DomainNetBIOSName":"CORP","geo":{},"os":{"type":"windows"}},"process":{"pid":5256,"entity_id":"12345-0fbc-4794-93e6-abcde","command_line":"\"C:\\Windows\\SysWOW64\\ABC\\v1.0\\powershell.exe\" -NoProfile -executionPolicy bypass -file  \"C:\\WINDOWS\\IMECache\\ABC\\cc584dcd-717b-45d7-b6ae-12345\\detect.ps1\"","executable":"c:\\windows\\syswow64\\abcd\\v1.0\\powershell.exe","start":"2023-11-07T08:48:43+00:00","ElevationRequired":false,"hash":{},"pe":{},"code_signature":{},"HostedFile":{"hash":{},"pe":{},"Owner":{},"code_signature":{}},"user":{"id":"S-1-5-21-12345-413027322-12345-63836","name":"_zoom","domain":"CORP","DomainIdentifier":"S-1-5-21-12345--2345"},"parent":{"pid":123,"entity_id":"12345-dce9-43c3-b360-abcd","executable":"c:\\program files (x86)\\microsoft intune management extension\\example.exe"}},"related":{"ip":[],"user":["_zoom"],"hash":["ABCD1143BB778597B0F914D13073B4","ABCD788F3AB54A3CA570C2673E0034BDD4DF91A0B7612345","12345F6606A7F28F462EC7AAABCD"],"hosts":["ABC-KARL-ZOOM"]},"user":{"id":"S-1-5-21-1993962763-12345-1801674531-12345","name":"_zoom","domain":"CORP","DomainIdentifier":"S-1-5-21-12345-413027322-1234","DomainNetBIOSName":"CORP"},"EPMWinMac":{"SchemaVersion":"4.4.0","GroupId":"1234-72b5-4c25-88a9-12345","TenantId":"abcd-a0ed-2838-20ed-12345","ActiveX":{},"AuthorizationRequest":{},"AuthorizingUser":{},"COM":{},"Configuration":{"Identifier":"12345-26f2-473a-8caf-abcd","RevisionNumber":"64","Application":{"Type":"exe","Description":"Any Executable"},"ApplicationGroup":{"Name":"(Default) Any Application","Description":"This will match for every application type Privilege Management supports","Identifier":"abcd-a490-4efc-80f1-482c5361ba5e"},"Message":{"AuthMethods":[],"Authorization":{},"Authentication":{}},"Rule":{"Identifier":"abcd-24b5-445a-9cc5-2ac9b0397b6f","OnDemand":false},"RuleScript":{"Outcome":{"RuleAffected":false}},"Token":{"Name":"Passive (No Change)","Identifier":"abce-e95d-4700-b69a-957dc5c1de6f"},"Workstyle":{"Name":"High Flexibility","Description":"Workstyle that applies to users who have a lot of flexibility","Identifier":"12345-67e3-4ad8-b585-a97ad05c409b"}},"Event":{"Type":"Process","Action":"Allowed"},"Installer":{},"PrivilegedGroup":{},"RemotePowerShell":{},"ServiceControl":{"Service":{}},"Session":{},"StoreApp":{},"TrustedApplication":{}}}

Overview

Table name: beyondtrust_activity_audits

Return audit events from the Activity Audit log of your BeyondTrust management console. More information on the event types can be found here.

Send data to Hunters

Hunters supports the collection of logs from BeyondTrust using API.

To connect BeyondTrust logs:

1. Acquire the Domain value from BeyondTrust as described here.

2. Create a ClientSecret and ClientID, granting the relevant scope permissions as described here.

   ⚠️ Attention

   To enable each of the supported data types, a relevant Scope needs to be added to the Bearer Token upon creation. Make sure to add the relevant scopes with respect to the data that needs to be onboarded.

3. Complete the process on the Hunters platform, following this guide.

Expected format

Logs are expected in JSON format.

{"id": 22329, "details": "Edit draft for policy Quickstart Policy MAC", "userId": null, "user": "asd@asd.com", "entity": "Policy", "auditType": "EditDraft", "created": "2023-10-03T14:17:53.919084", "changedBy": "Portal", "apiClientDataAuditing": null, "computerDataAuditing": null, "groupDataAuditing": null, "installationKeyDataAuditing": null, "policyDataAuditing": null, "policyRevisionDataAuditing": null, "settingsDataAuditing": null, "userDataAuditing": null, "openIdConfigDataAuditing": null, "mmcRemoteClientDataAuditing": null, "computerPolicyDataAuditing": null, "azureADIntegrationDataAuditing": null, "authorizationRequestDataAuditing": null, "reputationSettingsDataAuditing": null, "securitySettingsDataAuditing": null, "disableSiemIntegrationDataAuditing": null, "siemIntegrationQradarAuditing": null, "siemIntegrationS3Auditing": null, "siemIntegrationSentinelAuditing": null, "siemIntegrationSplunkAuditing": null, "agentDataAuditing": null, "managementRuleDataAuditing": null}

Overview

Table name: beyondntrust_passwordsafe

Password Safe allows you to manage privileged passwords, accounts, keys, secrets, and sessions for people and machines and secure non-privileged employee passwords for business applications. Password Safe logs provide a list of all actions performed in the system, including timestamp, event, involved user, source IP and more.

Send data to Hunters

Hunters supports the collection of logs from BeyondTrust through an intermediary S3 bucket.

To connect BeyondTrust logs:

To connect Password Safe logs, you'll need to setup log routing from Password Safe to an AWS S3 bucket.

1. Follow this guide to set up event forwarding of your logs to an AWS S3 bucket.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in key-value format.

2024-04-01T00:00:12Z 1.2.3.4 Agent Desc: "",Agent ID: "AppAudit",Agent Ver: "",Category: "PMM API SignAppIn",Source Host: "",Event Desc: "",Event Name: "Login",OS: "",Event Severity: "0",Source IP: "1.2.3.4",Event Subject: "1944",Event Type: "0",User: "testtest",Workgroup Desc: "",Workgroup ID: "",Workgroup Location: "",AuditID: "24351596",ActionType: "Login",SystemName: "PMM API SignAppIn",AppUserID: "1944",CreateDate: "3/31/2024 11:59:28 PM",UserName: "testtest",IPAddress: "1.2.3.4",Authentication Type: "API"