Beyond Identity¶
About¶
Beyond Identity is a security company solving an identity problem. FIDO2 certified and architected to deliver the highest assurance of identity and device trust, we take the burden of security off of humans and enable enterprise zero trust authentication.
Product Details¶
Vendor URL: Beyond Identity
Product Type: Privileged Account Monitoring
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Beyond Identity integration guide
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: BEYOND_IDENTITY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| id | metadata.product_log_id |
| data.type_name | metadata.description |
| Identity | metadata.product_name |
| Beyond | metadata.vendor_name |
| event_type | metadata.product_event_type |
| actor.display_name | principal.user.user_display_name |
| service | principal.application |
| actor.display_id | principal.user.userid |
| data.login_hint | principal.user.userid |
| data.client.domain_name | principal.administrative_domain |
| data.grantor.device_info.platform_device_info.os.domain_name | principal.administrative_domain |
| data.device_added.device_info.platform_device_info.os.domain_name | principal.administrative_domain |
| actor.tenant_id | .principal.administrative_domain |
| data.device_info.platform_device_info.type_name | principal.platform |
| data.grantor.device_info.platform_device_info.type_name | principal.platform |
| data.device_added.device_info.platform_device_info.type_name | principal.platform |
| data.device_info.platform_device_info.os.version.build | principal.platform_version |
| data.grantor.device_info.platform_device_info.os.version.build | principal.platform_version |
| data.client.auth_origin_host | principal.hostname |
| data.device_info.platform_device_info.os.hostname | principal.hostname |
| data.grantor.device_info.platform_device_info.os.hostname | principal.hostname |
| data.device_added.device_info.platform_device_info.os.hostname | principal.hostname |
| data.client.source_ips | principal.ip |
| data.device_info.platform_device_info.hardware.manufacturer | principal.asset.hardware.model |
| data.grantor.device_info.platform_device_info.hardware.manufacturer | principal.asset.hardware.model |
| data.device_info.platform_device_info.hardware.model | principal.asset.hardware.model |
| data.grantor.device_info.platform_device_info.hardware.model | principal.asset.hardware.model |
| data.device_info.platform_device_info.hardware.serial_number | principal.asset.hardware.serial |
| data.group.name | target.group.group_display_name |
| data.enrollment.user.given_name | target.user.first_name |
| data.user.given_name | target.user.first_name |
| data.enrollment.user.family_name | target.user.last_name |
| data.user.family_name | target.user.last_name |
| data.enrollment.user.internal_id | target.user.product_object_id |
| data.user.internal_id | target.user.product_object_id |
| data.enrollment.user.user_display | target.user.user_display_name |
| data.user.user_display | target.user.user_display_name |
| data.enrollment.user.user_name | target.user.userid |
| data.user.user_name | target.user.userid |
| data.enrollment.user.email | target.user.email_addresses |
| data.user.email | target.user.email_addresses |
| data.redirect_uri | target.url |
| data.device_added.device_info.platform_device_info.os.hostname | target.hostname |
| data.device_added.device_info.platform_device_info.hardware.manufacturer | target.asset.hardware.manufacturer |
| data.device_added.device_info.platform_device_info.hardware.model | target.asset.hardware.model |
| data.device_added.device_info.platform_device_info.hardware.serial_number | target.asset.hardware.serial_number |
| data.client.referer_host | network.http.referral_url |
| data.client.user_agent | network.http.user_agent |
| data.result.matched_rule_id | security_result.rule_id |
| data.action | security_result.action_details |
| outcome | security_result.action_details |
Product Event Types¶
| event_type | UDM Event Classification |
|---|---|
| event_type contains GROUP_CHANGE or GROUP_MEMBERSHIP_CHANGE | GROUP_UNCATEGORIZED |
| event_type contains OIDC_INBOUND | NETWORK_UNCATEGORIZED |
| event_type contains ADD_DEVICE | STATUS_UNCATEGORIZED |
| event_type contains DEVICE_CREDENTIAL_CHANGE or ENROLLMENT_CHANGE or USER_AUTHENTICATION or USER_CHANGE | USER_UNCATEGORIZED |
| all others | GENERIC_EVENT |
Log Sample¶
<82>
{
"raw": {
"id": "aa4c8383-8176-4a7b-aa75-e2a0a755c3ea",
"correlation_id": "aa59c7c5-2efe-4650-9b20-627105fa2b03",
"service": "authd",
"event_occurred_millis": 1687272751387,
"event_recorded_millis": 1687272751413,
"outcome": "SUCCESS",
"attested": true,
"event_type": "OIDC_INBOUND",
"data": {
"type_name": "OidcInbound",
"client": {
"type_name": "Client",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"referer_host": "hostname.com",
"auth_origin_host": "hostname.com",
"source_ip": "10.0.0.3",
"city": "Kansas City",
"country": "United States",
"geo_display": "Kansas City, Missouri, United States",
"subdivisions": [
"Texas"
],
"source_ips": [
"10.0.0.3",
"10.0.0.4"
],
"authenticator_ip": "10.0.0.1"
},
"scope": "openid",
"response_type": "code",
"redirect_uri": "https://hostname.com/oauth2/v1/authorize/callback",
"state": "dzRFSjVGT09yWGdiZHQrbUQ5akNoYktYYVVES1RCVG4vSUJZMWV0SWRJeGFZRHdQeVZYR0ZCRkVhUU5hNzY511",
"login_hint": "john_doe"
},
"event_log_level": "INFO"
},
"additional_list": [
{
"key": "intel:threat:sources",
"value": "[]"
},
{
"key": "intel:source:ip:geoIP:location",
"value": "[38.88, -94.58]"
},
{
"key": "intel:mods",
"value": "[\"usrAgnt\", \"getGeoIP\"]"
},
{
"key": "intel:sources",
"value": "[\"geoIP\"]"
},
{
"key": "intel:enriched",
"value": "[\"source.hostname:intel.source.ip.rlu.hostname\"]"
}
],
"additional_string": [
{
"key": "meta:rev",
"value": "82"
},
{
"key": "meta:rev_text",
"value": "domain:meta:rev_text_82"
},
{
"key": "meta:fingerprint",
"value": "ea5a802e1be996331b69a566a5a62fa14aad39c4"
},
{
"key": "intel:threat:score",
"value": "0"
},
{
"key": "intel:threat:count",
"value": "0"
},
{
"key": "intel:source:ip:geoIP:country",
"value": "US"
},
{
"key": "intel:source:ip:geoIP:continent",
"value": "NA"
},
{
"key": "intel:source:ip:geoIP:timezone",
"value": "None"
},
{
"key": "intel:source:ip:rlu:answer",
"value": "True"
},
{
"key": "intel:source:ip:rlu:internal",
"value": "False"
},
{
"key": "intel:source:ip:rlu:ip",
"value": "10.0.0.3"
},
{
"key": "intel:source:ip:rlu:hostname",
"value": "hostname2.com"
},
{
"key": "intel:source:ip:rlu:ts",
"value": "1687272538"
},
{
"key": "intel:source:ip:rlu:iref",
"value": "3"
},
{
"key": "intel:source:ip:bloxone_uat:ip",
"value": "10.0.0.3"
},
{
"key": "intel:source:ip:uat:user_id",
"value": "john_doe"
},
{
"key": "intel:source:ip:uat:iref",
"value": "3"
},
{
"key": "intel:source:ip:subnet:network",
"value": "10.0.0.1/24"
},
{
"key": "intel:source:ip:subnet:description",
"value": "internet-egress"
},
{
"key": "intel:source:ip:subnet:priority",
"value": "PRIORITY_5"
},
{
"key": "intel:source:ip:subnet:visibility",
"value": "Public"
},
{
"key": "intel:source:ip:subnet:region",
"value": "Kansas City"
},
{
"key": "intel:source:ip:subnet:pri_contact",
"value": "Doe, John"
},
{
"key": "intel:source:ip:subnet:group_contact",
"value": "Firewall"
},
{
"key": "intel:source:ip:subnet:owner",
"value": "Unknown"
},
{
"key": "intel:source:ip:subnet:site",
"value": "Unknown"
},
{
"key": "intel:source:ip:subnet:role",
"value": "Unknown"
},
{
"key": "intel:source:ip:subnet:first_seen",
"value": "11/06/2021 04:41:17 PM"
},
{
"key": "intel:source:ip:bsubnet:ip_start",
"value": "10.0.0.1"
},
{
"key": "intel:source:ip:subnet:ip_end",
"value": "10.0.0.255"
},
{
"key": "intel:source:ip:subnet:irev",
"value": "3"
},
{
"key": "intel:source:ip:subnet:iref",
"value": "3"
},
{
"key": "intel:destination:ip",
"value": "{}"
},
{
"key": "intel:count",
"value": "1"
},
{
"key": "log:cdh:input:type",
"value": "scheduler"
},
{
"key": "log:cdh:size",
"value": "2983"
},
{
"key": "log:cdh:ts:ari",
"value": "1687272900"
},
{
"key": "log:cdh:esize",
"value": "6548"
},
{
"key": "log:group",
"value": "beyond_identity"
},
{
"key": "log:type",
"value": "oidc_inbound"
}
],
"@timestamp": "2023-06-20T14:52:31.413Z"
}
Sample Parsing¶
additional.fields["meta:fingerprint"] = "ea5a802e1be996331b69a566a5a62fa14aad39c4"
additional.fields["meta:rev_text"] = "meta:rev_text_82"
additional.fields["meta:rev"] = "82"
additional.fields["intel:count"] = "1"
additional.fields["intel:destination:ip"] = "{}"
additional.fields["intel:enriched"] = "[\"source.hostname:intel.source.ip.rlu.hostname\"]"
additional.fields["intel:mods"] = "[\"usrAgnt\", \"getGeoIP\"]"
additional.fields["intel:source:ip:uat:ip"] = "10.0.0.3"
additional.fields["intel:source:ip:uat:iref"] = "3"
additional.fields["intel:source:ip:uat:user_id"] = "tonedavi"
additional.fields["intel:source:ip:subnet:description"] = "internet-egress"
additional.fields["intel:source:ip:subnet:first_seen"] = "11/06/2021 04:41:17 PM"
additional.fields["intel:source:ip:subnet:group_contact"] = "Firewall"
additional.fields["intel:source:ip:subnet:ip_end"] = "10.0.0.255"
additional.fields["intel:source:ip:subnet:ip_start"] = "10.0.0.1"
additional.fields["intel:source:ip:subnet:iref"] = "3"
additional.fields["intel:source:ip:subnet:irev"] = "3"
additional.fields["intel:source:ip:subnet:network"] = "10.0.0.0/24"
additional.fields["intel:source:ip:subnet:owner"] = "Unknown"
additional.fields["intel:source:ip:subnet:pri_contact"] = "Doe, John"
additional.fields["intel:source:ip:subnet:priority"] = "PRIORITY_5"
additional.fields["intel:source:ip:subnet:region"] = "Kansas City"
additional.fields["intel:source:ip:subnet:role"] = "Unknown"
additional.fields["intel:source:ip:subnet:site"] = "Unknown"
additional.fields["intel:source:ip:subnet:visibility"] = "Public"
additional.fields["intel:source:ip:geoIP:continent"] = "NA"
additional.fields["intel:source:ip:geoIP:country"] = "US"
additional.fields["intel:source:ip:geoIP:timezone"] = "None"
additional.fields["intel:source:ip:rlu:answer"] = "True"
additional.fields["intel:source:ip:rlu:hostname"] = "hostname.com"
additional.fields["intel:source:ip:rlu:internal"] = "False"
additional.fields["intel:source:ip:rlu:ip"] = "10.0.0.3"
additional.fields["intel:source:ip:rlu:iref"] = "3"
additional.fields["intel:source:ip:rlu:ts"] = "1687272538"
additional.fields["intel:sources"] = "[\"geoIP\"]"
additional.fields["intel:threat:count"] = "0"
additional.fields["intel:threat:score"] = "0"
additional.fields["intel:threat:sources"] = "[]"
additional.fields["log:cdh:esize"] = "6548"
additional.fields["log:cdh:input:type"] = "scheduler"
additional.fields["log:cdh:size"] = "2983"
additional.fields["log:cdh:ts:ari"] = "1687272900"
additional.fields["log:group"] = "beyond_identity"
additional.fields["log:type"] = "oidc_inbound"
metadata.description = "OidcInbound"
metadata.event_timestamp.seconds = 1687272751
metadata.event_timestamp.nanos = 413000000
metadata.event_type = "NETWORK_UNCATEGORIZED"
metadata.id = "AAAAADv35Xz8hCBtmhGFUsHP34QAAAAABQAAACIAAAA="
metadata.ingested_timestamp.seconds = 1687272907
metadata.ingested_timestamp.nanos = 323680000
metadata.log_type = "BEYOND_IDENTITY"
metadata.product_event_type = "OIDC_INBOUND"
metadata.product_log_id = "aa4c8383-8176-4a7b-aa75-e2a0a755c3ea"
metadata.product_name = "Identity"
metadata.vendor_name = "Beyond"
network.http.referral_url = "Hostname"
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
principal.application = "authd"
principal.hostname = "hostname"
principal.ip = "10.0.0.3"
principal.ip = "10.0.0.4"
principal.namespace = "namespace"
principal.user.userid = "jdoe"
security_result.action_details = "SUCCESS"
target.namespace = "namespace"
target.url = "https://hostname.com/oauth2/v1/authorize/callback"
Rules¶
Coming Soon