Work with Data in Splunk Enterprise

When using Splunk DB Connect to import data, BeyondTrust provides four denormalized views:

ExportDefendpointStarts
ExportLogons
ExportPrivilegedAccountProtection
ExportProcesses

The views allow you to import BeyondTrust audit data into SIEM systems such as Splunk Enterprise. Each view has a rising column allowing the SIEM system to track the data already imported.

ExportProcesses	Returns the Process Control events such as elevating or blocking applications. The columns include: ApplicationDescription Publisher ProductVersion UserName HostName WorkstyleName Also includes event action flags: Elevated Blocked Passive ProcessID is the rising column and ProcessStartTime is the timestamp.
ExportLogons	Returns the Logon events in the database. The columns include: LogonTime UserName HostName WorkstyleName LogonID is the rising column and LogonTime is the timestamp.
ExportDefendpointStarts	Returns the Privilege Management started events in the database. The columns include: SessionStartTime HostName AgentVersion OS SessionID is the rising column and SessionStartTime is the timestamp.
ExportPrivilegedAccountProtection	Returns the Privilege Management events in the database. The columns include: TimeGenerated Access WorkstyleName UserName HostName ApplicationDescription ID is the rising column and TimeGenerated is the timestamp.

For more information about the fields for each Privilege Management export view, please see Privilege Management Export Views.