Manage SIEM Connections

You can set up SIEM connections to integrate with Privilege Management for Unix and Linux and Active Directory Bridge events. The available connection types are Elasticsearch and Logstash.

 

You can have only one Elasticsearch type connection.

For information on configuring a SIEM connection for use with a Privilege Management for Unix and Linux server, please see Configure SIEM for Use With a Privilege Management for Unix and Linux Server.

Add a SIEM Connection

  1. On the sidebar menu, click Settings > SIEM Connections.
  2. In the SIEM Connections left panel, click Add Connection.
  3. On the Create New SIEM Connection page, select the SIEM connection type.
  4. In the SIEM Connection Details section, enter a name and URL for the connection.
  5. Optionally, check the box to verify the certificate for the connection. You can use this option in the case of unknown signer, for example, if a self-signed certificate is in use.

For an Elasticsearch connection type:

You can define the location of an Elasticsearch instance using two methods within BIUL:

  • Directly specifying the URL of the Elasticsearch instance.
  • Providing a CloudID identifying the Elasticsearch instance.

The direct URL method specifies the location of Elasticsearch but contains no information about the location of Kibana.

The CloudID method encodes the locations of both Elasticsearch and Kibana. Only connections using CloudID can identify the location to deploy the Kibana dashboard.

  1. In the Elasticsearch Connection Details section, select a credential type from the list: Username and Password or API Key.
  2. Depending on the credential type you select, enter the following:
    • Username and Password
    • API ID and API Key
    • Cloud ID
  3. You can leave the Optional Search Index Patterns Overrides section fields as is, because there are default pattern values. Optionally, enter the following:
    • PMUL Index Patterns
    • PMUL Session Replay Index Patterns
    • AD Bridge Index Patterns

For a Logstash connection type, click the Information icon (next to Logstash Connection Details) to see sample configuration examples, and additional pipelines information.

To complete the process for either connection type:

  1. In the BeyondInsight for Unix & Linux Logging section, select the logging option(s), to send BIUL Console Audit Data, System Logs, or Task Logs to the SIEM. When enabled, data that is regularly stored in the local log file or BIUL database is additionally forwarded to the elastic connection. This data is in the elastic common schema format. The data is then available via a grid in the Audit > Unified Search > BeyondInsight for Unix & Linux section.
  2. Optionally, to test your updated settings and connection, click Test Settings, and check for the success message.
  3. Click Save SIEM Connection.

Edit a SIEM Connection

You can change the settings for an existing SIEM connection.

  1. On the sidebar menu, click Settings > SIEM Connections.
  2. In the SIEM Connections list, select a connection.
  3. On the Edit SIEM Connection page, make your modifications, and then click Save SIEM Connection.
  4. Optionally, to test your updated settings and connection, click Test Settings.

Delete a SIEM Connection

To delete an existing SIEM connection:

  1. On the sidebar menu, click Settings > SIEM Connections.
  2. In the SIEM Connections list, select a connection.
  3. On the Edit SIEM Connection page, at the far right, click Delete Connection.
  4. To confirm the deletion, click Delete.