Configure BeyondTrust Privileged Remote Access for Using the SIEM Plugin

All of the steps in this section take place in the BeyondTrust /login administrative interface. Access your Privileged Remote Access interface by going to the hostname of your B Series Appliance followed by /login, (e.g., https://access.example.com/login).

SIEM plugin configuration is required for each BeyondTrust Appliance B Series configured in the application's configuration file.

Verify the API is Enabled

Management

API Configuration

API Configuration Enable XML API checkbox.

This integration requires the BeyondTrust XML API to be enabled. This feature is used by the BeyondTrust Middleware Engine to communicate with the BeyondTrust APIs.

Go to /login > Management > API Configuration and verify that Enable XML API is checked.

Create an OAuth API Account

Management

API Configuration

The SIEM Tool API account is used from within SIEM Tool to make Privileged Remote Access Command API calls to Privileged Remote Access.

Add Button on the API Configuration page in Remote Support /login.

  1. In /login, navigate to Management > API Configuration.
  2. Click Add.

 

Add an API Account page in Remote Support /login.

  1. Check Enabled.
  2. Enter a name for the account.
  3. OAuth Client ID and OAuth Client Secret is used during the OAuth configuration step in SIEM Tool.
  4. Under Permissions, check the following:
    • Command API: Full Access.
    • Reporting API: Allow Access to Support Session Reports and Recordings, and Allow Access to Presentation Session Reports and Recordings.
  5. Click Save at the top of the page to create the account.

 

Add an Outbound Event URL

Management

Outbound events

Outbound Events - Add HTTP Recipient for Integrations

  1. Go to /login > Management > Outbound Events.
  2. In the HTTP Recipients section, click Add and name it Integration or something similar.
  3. Enter the URL to use:
    • If using the default appliance ID:
      • http://<middleware-host>:<port>/PAMPost.
      • The default port is 8180.
    • If using an appliance ID other than the default:
      • http://<middleware-host>:<port>/PAMPost?appliance=<appliance-id> where <middleware-host> is the hostname where the BeyondTrust Middleware Engine is installed.
      • The default port is 8180.
      • The <appliance-id> is an arbitrary name, but note the value used, as it is required later in the plugin configuration. This name accepts only alphanumeric values, periods, and underscores.
  4. Scroll to Events to Send and check the following event: Support Session End
  5. Click Save.

Outbound Events > HTTP Recipients

  1. The list of outbound events contains the event just added. The Status column displays a value of OK if communication is working. If communication is not working, the Status column displays an error which you can use to repair communication.