Skip to content

Beyond Identity

Beyond Identity

About

Beyond Identity is a security company solving an identity problem. FIDO2 certified and architected to deliver the highest assurance of identity and device trust, we take the burden of security off of humans and enable enterprise zero trust authentication.

Product Details

Vendor URL: Beyond Identity

Product Type: Privileged Account Monitoring

Product Tier: Tier III

Integration Method: Syslog

Integration URL: Beyond Identity integration guide

Parser Details

Log Format: JSON

Expected Normalization Rate: 100%

Data Label: BEYOND_IDENTITY

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
id metadata.product_log_id
data.type_name metadata.description
Identity metadata.product_name
Beyond metadata.vendor_name
event_type metadata.product_event_type
actor.display_name principal.user.user_display_name
service principal.application
actor.display_id principal.user.userid
data.login_hint principal.user.userid
data.client.domain_name principal.administrative_domain
data.grantor.device_info.platform_device_info.os.domain_name principal.administrative_domain
data.device_added.device_info.platform_device_info.os.domain_name principal.administrative_domain
actor.tenant_id .principal.administrative_domain
data.device_info.platform_device_info.type_name principal.platform
data.grantor.device_info.platform_device_info.type_name principal.platform
data.device_added.device_info.platform_device_info.type_name principal.platform
data.device_info.platform_device_info.os.version.build principal.platform_version
data.grantor.device_info.platform_device_info.os.version.build principal.platform_version
data.client.auth_origin_host principal.hostname
data.device_info.platform_device_info.os.hostname principal.hostname
data.grantor.device_info.platform_device_info.os.hostname principal.hostname
data.device_added.device_info.platform_device_info.os.hostname principal.hostname
data.client.source_ips principal.ip
data.device_info.platform_device_info.hardware.manufacturer principal.asset.hardware.model
data.grantor.device_info.platform_device_info.hardware.manufacturer principal.asset.hardware.model
data.device_info.platform_device_info.hardware.model principal.asset.hardware.model
data.grantor.device_info.platform_device_info.hardware.model principal.asset.hardware.model
data.device_info.platform_device_info.hardware.serial_number principal.asset.hardware.serial
data.group.name target.group.group_display_name
data.enrollment.user.given_name target.user.first_name
data.user.given_name target.user.first_name
data.enrollment.user.family_name target.user.last_name
data.user.family_name target.user.last_name
data.enrollment.user.internal_id target.user.product_object_id
data.user.internal_id target.user.product_object_id
data.enrollment.user.user_display target.user.user_display_name
data.user.user_display target.user.user_display_name
data.enrollment.user.user_name target.user.userid
data.user.user_name target.user.userid
data.enrollment.user.email target.user.email_addresses
data.user.email target.user.email_addresses
data.redirect_uri target.url
data.device_added.device_info.platform_device_info.os.hostname target.hostname
data.device_added.device_info.platform_device_info.hardware.manufacturer target.asset.hardware.manufacturer
data.device_added.device_info.platform_device_info.hardware.model target.asset.hardware.model
data.device_added.device_info.platform_device_info.hardware.serial_number target.asset.hardware.serial_number
data.client.referer_host network.http.referral_url
data.client.user_agent network.http.user_agent
data.result.matched_rule_id security_result.rule_id
data.action security_result.action_details
outcome security_result.action_details

Product Event Types

event_type UDM Event Classification
event_type contains GROUP_CHANGE or GROUP_MEMBERSHIP_CHANGE GROUP_UNCATEGORIZED
event_type contains OIDC_INBOUND NETWORK_UNCATEGORIZED
event_type contains ADD_DEVICE STATUS_UNCATEGORIZED
event_type contains DEVICE_CREDENTIAL_CHANGE or ENROLLMENT_CHANGE or USER_AUTHENTICATION or USER_CHANGE USER_UNCATEGORIZED
all others GENERIC_EVENT

Log Sample

<82> 
{
  "raw": {
    "id": "aa4c8383-8176-4a7b-aa75-e2a0a755c3ea",
    "correlation_id": "aa59c7c5-2efe-4650-9b20-627105fa2b03",
    "service": "authd",
    "event_occurred_millis": 1687272751387,
    "event_recorded_millis": 1687272751413,
    "outcome": "SUCCESS",
    "attested": true,
    "event_type": "OIDC_INBOUND",
    "data": {
      "type_name": "OidcInbound",
      "client": {
        "type_name": "Client",
        "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
        "referer_host": "hostname.com",
        "auth_origin_host": "hostname.com",
        "source_ip": "10.0.0.3",
        "city": "Kansas City",
        "country": "United States",
        "geo_display": "Kansas City, Missouri, United States",
        "subdivisions": [
          "Texas"
        ],
        "source_ips": [
          "10.0.0.3",
          "10.0.0.4"
        ],
        "authenticator_ip": "10.0.0.1"
      },
      "scope": "openid",
      "response_type": "code",
      "redirect_uri": "https://hostname.com/oauth2/v1/authorize/callback",
      "state": "dzRFSjVGT09yWGdiZHQrbUQ5akNoYktYYVVES1RCVG4vSUJZMWV0SWRJeGFZRHdQeVZYR0ZCRkVhUU5hNzY511",
      "login_hint": "john_doe"
    },
    "event_log_level": "INFO"
  },
  "additional_list": [
    {
      "key": "intel:threat:sources",
      "value": "[]"
    },
    {
      "key": "intel:source:ip:geoIP:location",
      "value": "[38.88, -94.58]"
    },
    {
      "key": "intel:mods",
      "value": "[\"usrAgnt\", \"getGeoIP\"]"
    },
    {
      "key": "intel:sources",
      "value": "[\"geoIP\"]"
    },
    {
      "key": "intel:enriched",
      "value": "[\"source.hostname:intel.source.ip.rlu.hostname\"]"
    }
  ],
  "additional_string": [
    {
      "key": "meta:rev",
      "value": "82"
    },
    {
      "key": "meta:rev_text",
      "value": "domain:meta:rev_text_82"
    },
    {
      "key": "meta:fingerprint",
      "value": "ea5a802e1be996331b69a566a5a62fa14aad39c4"
    },
    {
      "key": "intel:threat:score",
      "value": "0"
    },
    {
      "key": "intel:threat:count",
      "value": "0"
    },
    {
      "key": "intel:source:ip:geoIP:country",
      "value": "US"
    },
    {
      "key": "intel:source:ip:geoIP:continent",
      "value": "NA"
    },
    {
      "key": "intel:source:ip:geoIP:timezone",
      "value": "None"
    },
    {
      "key": "intel:source:ip:rlu:answer",
      "value": "True"
    },
    {
      "key": "intel:source:ip:rlu:internal",
      "value": "False"
    },
    {
      "key": "intel:source:ip:rlu:ip",
      "value": "10.0.0.3"
    },
    {
      "key": "intel:source:ip:rlu:hostname",
      "value": "hostname2.com"
    },
    {
      "key": "intel:source:ip:rlu:ts",
      "value": "1687272538"
    },
    {
      "key": "intel:source:ip:rlu:iref",
      "value": "3"
    },
    {
      "key": "intel:source:ip:bloxone_uat:ip",
      "value": "10.0.0.3"
    },
    {
      "key": "intel:source:ip:uat:user_id",
      "value": "john_doe"
    },
    {
      "key": "intel:source:ip:uat:iref",
      "value": "3"
    },
    {
      "key": "intel:source:ip:subnet:network",
      "value": "10.0.0.1/24"
    },
    {
      "key": "intel:source:ip:subnet:description",
      "value": "internet-egress"
    },
    {
      "key": "intel:source:ip:subnet:priority",
      "value": "PRIORITY_5"
    },
    {
      "key": "intel:source:ip:subnet:visibility",
      "value": "Public"
    },
    {
      "key": "intel:source:ip:subnet:region",
      "value": "Kansas City"
    },
    {
      "key": "intel:source:ip:subnet:pri_contact",
      "value": "Doe, John"
    },
    {
      "key": "intel:source:ip:subnet:group_contact",
      "value": "Firewall"
    },
    {
      "key": "intel:source:ip:subnet:owner",
      "value": "Unknown"
    },
    {
      "key": "intel:source:ip:subnet:site",
      "value": "Unknown"
    },
    {
      "key": "intel:source:ip:subnet:role",
      "value": "Unknown"
    },
    {
      "key": "intel:source:ip:subnet:first_seen",
      "value": "11/06/2021 04:41:17 PM"
    },
    {
      "key": "intel:source:ip:bsubnet:ip_start",
      "value": "10.0.0.1"
    },
    {
      "key": "intel:source:ip:subnet:ip_end",
      "value": "10.0.0.255"
    },
    {
      "key": "intel:source:ip:subnet:irev",
      "value": "3"
    },
    {
      "key": "intel:source:ip:subnet:iref",
      "value": "3"
    },
    {
      "key": "intel:destination:ip",
      "value": "{}"
    },
    {
      "key": "intel:count",
      "value": "1"
    },
    {
      "key": "log:cdh:input:type",
      "value": "scheduler"
    },
    {
      "key": "log:cdh:size",
      "value": "2983"
    },
    {
      "key": "log:cdh:ts:ari",
      "value": "1687272900"
    },
    {
      "key": "log:cdh:esize",
      "value": "6548"
    },
    {
      "key": "log:group",
      "value": "beyond_identity"
    },
    {
      "key": "log:type",
      "value": "oidc_inbound"
    }
  ],
  "@timestamp": "2023-06-20T14:52:31.413Z"
}

Sample Parsing

additional.fields["meta:fingerprint"] = "ea5a802e1be996331b69a566a5a62fa14aad39c4"
additional.fields["meta:rev_text"] = "meta:rev_text_82"
additional.fields["meta:rev"] = "82"
additional.fields["intel:count"] = "1"
additional.fields["intel:destination:ip"] = "{}"
additional.fields["intel:enriched"] = "[\"source.hostname:intel.source.ip.rlu.hostname\"]"
additional.fields["intel:mods"] = "[\"usrAgnt\", \"getGeoIP\"]"
additional.fields["intel:source:ip:uat:ip"] = "10.0.0.3"
additional.fields["intel:source:ip:uat:iref"] = "3"
additional.fields["intel:source:ip:uat:user_id"] = "tonedavi"
additional.fields["intel:source:ip:subnet:description"] = "internet-egress"
additional.fields["intel:source:ip:subnet:first_seen"] = "11/06/2021 04:41:17 PM"
additional.fields["intel:source:ip:subnet:group_contact"] = "Firewall"
additional.fields["intel:source:ip:subnet:ip_end"] = "10.0.0.255"
additional.fields["intel:source:ip:subnet:ip_start"] = "10.0.0.1"
additional.fields["intel:source:ip:subnet:iref"] = "3"
additional.fields["intel:source:ip:subnet:irev"] = "3"
additional.fields["intel:source:ip:subnet:network"] = "10.0.0.0/24"
additional.fields["intel:source:ip:subnet:owner"] = "Unknown"
additional.fields["intel:source:ip:subnet:pri_contact"] = "Doe, John"
additional.fields["intel:source:ip:subnet:priority"] = "PRIORITY_5"
additional.fields["intel:source:ip:subnet:region"] = "Kansas City"
additional.fields["intel:source:ip:subnet:role"] = "Unknown"
additional.fields["intel:source:ip:subnet:site"] = "Unknown"
additional.fields["intel:source:ip:subnet:visibility"] = "Public"
additional.fields["intel:source:ip:geoIP:continent"] = "NA"
additional.fields["intel:source:ip:geoIP:country"] = "US"
additional.fields["intel:source:ip:geoIP:timezone"] = "None"
additional.fields["intel:source:ip:rlu:answer"] = "True"
additional.fields["intel:source:ip:rlu:hostname"] = "hostname.com"
additional.fields["intel:source:ip:rlu:internal"] = "False"
additional.fields["intel:source:ip:rlu:ip"] = "10.0.0.3"
additional.fields["intel:source:ip:rlu:iref"] = "3"
additional.fields["intel:source:ip:rlu:ts"] = "1687272538"
additional.fields["intel:sources"] = "[\"geoIP\"]"
additional.fields["intel:threat:count"] = "0"
additional.fields["intel:threat:score"] = "0"
additional.fields["intel:threat:sources"] = "[]"
additional.fields["log:cdh:esize"] = "6548"
additional.fields["log:cdh:input:type"] = "scheduler"
additional.fields["log:cdh:size"] = "2983"
additional.fields["log:cdh:ts:ari"] = "1687272900"
additional.fields["log:group"] = "beyond_identity"
additional.fields["log:type"] = "oidc_inbound"
metadata.description = "OidcInbound"
metadata.event_timestamp.seconds = 1687272751
metadata.event_timestamp.nanos = 413000000
metadata.event_type = "NETWORK_UNCATEGORIZED"
metadata.id = "AAAAADv35Xz8hCBtmhGFUsHP34QAAAAABQAAACIAAAA="
metadata.ingested_timestamp.seconds = 1687272907
metadata.ingested_timestamp.nanos = 323680000
metadata.log_type = "BEYOND_IDENTITY"
metadata.product_event_type = "OIDC_INBOUND"
metadata.product_log_id = "aa4c8383-8176-4a7b-aa75-e2a0a755c3ea"
metadata.product_name = "Identity"
metadata.vendor_name = "Beyond"
network.http.referral_url = "Hostname"
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
principal.application = "authd"
principal.hostname = "hostname"
principal.ip = "10.0.0.3"
principal.ip = "10.0.0.4"
principal.namespace = "namespace"
principal.user.userid = "jdoe"
security_result.action_details = "SUCCESS"
target.namespace = "namespace"
target.url = "https://hostname.com/oauth2/v1/authorize/callback"