Work with Data in Splunk Enterprise
When using Splunk DB Connect to import data, BeyondTrust provides four denormalized views:
- ExportDefendpointStarts
- ExportLogons
- ExportPrivilegedAccountProtection
- ExportProcesses
The views allow you to import BeyondTrust audit data into SIEM systems such as Splunk Enterprise. Each view has a rising column allowing the SIEM system to track the data already imported.
ExportProcesses |
Returns the Process Control events such as elevating or blocking applications. The columns include:
Also includes event action flags:
ProcessID is the rising column and ProcessStartTime is the timestamp. |
ExportLogons |
Returns the Logon events in the database. The columns include:
LogonID is the rising column and LogonTime is the timestamp. |
ExportDefendpointStarts |
Returns the Privilege Management started events in the database. The columns include:
SessionID is the rising column and SessionStartTime is the timestamp. |
ExportPrivilegedAccountProtection |
Returns the Privilege Management events in the database. The columns include:
ID is the rising column and TimeGenerated is the timestamp. |
For more information about the fields for each Privilege Management export view, please see Privilege Management Export Views.