Integrate Identity Security Insights with Elastic Security

Identity Security Insights integrations allow you to connect third-party security information and event management (SIEM) tools to your BeyondTrust Insights console. Once an integration is configured, Insights automatically sends information regarding new detections and recommendations to the provided endpoint.

Integrating Elastic supports forwarding of detections and recommendations from Insights to your SIEM. This accelerates root cause analysis and threat response at scale.

Elasticsearch is a distributed, RESTful search and analytics engine. It centrally stores your data for lightning fast search, fine‑tuned relevancy, and powerful analytics that scale with ease.

Retrieve the Elastic Security credentials

  1. Log in to your Elastic Cloud account and navigate to your desired deployment.
  2. From your deployment's overview page, copy the Cloud ID. This ID is required in the next section.
  3. Navigate to Security/API Keys.
  4. Click Create API Key, and enter a name for the new key. This key is required in the next section.

Add an Elastic integration in Insights

Create an Elastic Integration in Identity Security Insights.

  1. In the header of your Insights instance, click Menu > Integrations.
  2. Click Elastic.
    The Configure Integration page displays.
  3. Click Create Integration.

 

Provide Elastic Cloud ID and API Key for Elastic Integration in Insights

  1. Enter the Elastic Cloud ID and API Key that you obtained for your elastic deployment in the previous section.
  2. Click Create Integration.

 

You are redirected to your Elastic integration dashboard, with your new integration added under Configured.

Edit or Delete an Elastic integration

The form to create your Elastic integration.

To edit an individual Elastic integration:

  1. Click the vertical ellipsis for a configured integration.
  2. Select Edit.
    The Configure Integration page displays.
  3. Edit the Cloud ID and API Key as necessary to assist in troubleshoot failing integrations.
  4. Click Save Integration.

Edits to an integration may take up to two minutes to take effect.

 

You can remove individual Elastic integrations by deleting them. Deleting an integration cannot be undone and all of its configuration settings and data are deleted.

To delete an individual Elastic integration:

  1. Click the vertical ellipsis for a configured integration.
  2. Select Delete.
  3. Type delete in the box to confirm you want to delete the integration.
  4. Click Delete Integration.

Elastic schema mapping

Field Internal Mapping
message "<incidentDescription>"
tags ["Detection | Recommendation"]
labels { "current_status": "<Open | Expected | FalsePositive | Resolved | InProgress>" }
event.id "<incidentId>"
event.url "https://app.beyondtrust.io/t/<tenantId>/detections/details/<incidentId>"
event.reason "<incidentDefinitionDetail>"
event.severity <incidentSeverity>
event.code "<incidentDefinitionId>"
rule.id "<incidentDefinitionId>"
rule.description "<incidentDescription>"
rule.version "<incidentDefinitionVersion>"
ecs.version "8.7.0"
impacted_entites[i].entity_id "<incidentImpactedEntityId>"
impacted_entities[i].entity_type "<incidentImpactedEntityType>"
impacted_entities[i].tenant_id "<incidentImpactedEntityTenantId>"
impacted_entities[i].name "<incidentImpactedEntityName>"
impacted_entities[i].description "<incidentImpactedEntityDescription>"