Manage SIEM Connections

You can set up SIEM connections to integrate with Endpoint Privilege Management for Unix and Linux (EPM-UL) and AD Bridge events. The available connection types are Elasticsearch and Logstash.

 

You can have only one Elasticsearch type connection.

For information on configuring a SIEM connection for use with an EPM-UL server, see Configure SIEM for Use With an Endpoint Privilege Management for Unix and Linux Server.

Add a SIEM Connection

1. On the sidebar menu, click Settings > SIEM Connections.
2. In the SIEM Connections left panel, click Add Connection.
3. On the Create New SIEM Connection page, select the SIEM connection type.
4. In the SIEM Connection Details section, enter a name and URL for the connection.
5. Optionally, check the box to verify the certificate for the connection. You can use this option in the case of unknown signer, for example, if a self-signed certificate is in use.

For an Elasticsearch connection type:

1. In the Elasticsearch Connection Details section, select a credential type from the list: Username and Password or API Key.
2. Depending on the credential type you select, enter the following:
   • Username and Password
   • API ID and API Key
   • Cloud ID
3. You can leave the Optional Search Index Patterns Overrides section fields as is, because there are default pattern values. Optionally, enter the following:
   • EPM-UL Index Patterns
   • EPM-UL Session Replay Index Patterns
   • AD Bridge Index Patterns
4. Proceed to the "To complete the process for either connection type" section (after the Logstash section, next).

For a Logstash connection type:

1. Click the Information icon (next to Logstash Connection Details) to see sample configuration examples, and additional pipelines information
2. In the Logstash Connection Details section, enter a Username and Password.

To complete the process for either connection type:

1. In the BeyondInsight for Unix & Linux Logging section, select the logging option(s), to send BIUL Console Audit Data, System Logs, or Task Logs to the SIEM. When enabled, data that is regularly stored in the local log file or BIUL database is additionally forwarded to the elastic connection. This data is in the elastic common schema format. The data is then available via a grid in the Audit > Unified Search > BeyondInsight for Unix & Linux section.
2. Optionally, to test your updated settings and connection, click Test Settings, and check for the success message.
3. Click Save SIEM Connection.

Edit a SIEM Connection

You can change the settings for an existing SIEM connection.

1. On the sidebar menu, click Settings > SIEM Connections.
2. In the SIEM Connections list, select a connection.
3. On the Edit SIEM Connection page, make your modifications, and then click Save SIEM Connection.
4. Optionally, to test your updated settings and connection, click Test Settings.

Deploy a Kibana Dashboard

Connections using CloudID can identify the location to deploy the Kibana dashboard.

To deploy a Kibana dashboard, you must:

• Configure Elasticsearch in BIUL.
• Associate a Kibana instance with the Elasticsearch instance.
• Connect to your Elasticsearch instance using a CloudID.

To deploy a Kibana dashboard using BIUL:

1. On the sidebar menu, click Settings > SIEM Connections.
2. In the SIEM Connections list, select your Elasticsearch connection.
3. On the Edit SIEM Connection page, click to open the Elasticsearch Connection Details.
4. Click Deploy Dashboard.

 

5. The Kibana Dashboard URL appears.

 

6. Click the link to access the Kibana dashboard.

This is a prebuilt Kibana dashboard layout defined by BeyondTrust. The dashboard provides a few visualizations relevant to BeyondTrust products, including AD Bridge authentication events and EPM-UL policy events.

 

Delete a SIEM Connection

To delete an existing SIEM connection:

1. On the sidebar menu, click Settings > SIEM Connections.
2. In the SIEM Connections list, select a connection.
3. On the Edit SIEM Connection page, at the far right, click Delete Connection.
4. To confirm the deletion, click Delete.