Integrate Identity Security Insights With Elastic Security

Identity Security Insights integrations allow you to connect third-party security information and event management (SIEM) tools to your BeyondTrust Insights console. Once an integration is configured, Insights automatically sends information regarding new detections and recommendations.

Retrieve the Elastic Security Credentials

  1. Log in to your Elastic Cloud account and navigate to your desired deployment.
  2. From your deployment's overview page, copy the Cloud ID. This ID is required in the next section.
  3. Navigate to Security/API Keys.
  4. Click Create API Key, and enter a name for the new key. This key is required in the next section.

Add an Elastic Integration

The Elastic dashboard in Identity Security Insights.

  1. Within your Insights instance, click Integrations from the Menu, and select Elastic on the following page.
  2. Click Add Integration beside the Elastic summary.
  3. Enter the details for your Elastic configuration:
    • Elastic Cloud ID: The Cloud ID for your Elastic deployment.
    • API Key: The API Key created in Elastic.
  4. Click Save Settings. You are redirected to your Elastic integration dashboard, with your new integration added.

Edit an Elastic Integration

The form to create your Elastic integration.

Individual Elastic integrations can be edited or removed by clicking the ellipses beside a configured integration.

Clicking Edit directs you to the configuration details page for your integration. From here, you can edit the Cloud ID and API Key to assist in troubleshoot failing integrations.

Clicking Delete removes this integration entirely.

Edits to an integration may take up to two minutes to take effect.

Elastic Schema Mapping

Field Internal Mapping
message "<incidentDescription>"
tags ["Detection | Recommendation"]
labels { "current_status": "<Open | Expected | FalsePositive | Resolved | InProgress>" }
event.id "<incidentId>"
event.url "https://app.beyondtrust.io/t/<tenantId>/detections/details/<incidentId>"
event.reason "<incidentDefinitionDetail>"
event.severity <incidentSeverity>
event.code "<incidentDefinitionId>"
rule.id "<incidentDefinitionId>"
rule.description "<incidentDescription>"
rule.version "<incidentDefinitionVersion>"
ecs.version "8.7.0"
impacted_entites[i].entity_id "<incidentImpactedEntityId>"
impacted_entities[i].entity_type "<incidentImpactedEntityType>"
impacted_entities[i].tenant_id "<incidentImpactedEntityTenantId>"
impacted_entities[i].name "<incidentImpactedEntityName>"
impacted_entities[i].description "<incidentImpactedEntityDescription>"