BeyondTrust Cloud Privilege Broker¶

About¶

BeyondTrust Cloud Privilege Broker (CPB) is an entitlements and permissions management solution that enables customers to visualize and manage cloud access risk in hybrid and multicloud environments—all from a single interface.

Product Details¶

Vendor URL: BeyondTrust Cloud Privilege Broker

Product Type: Privileged Account Monitoring

Product Tier: Tier III

Integration Method: Syslog

Integration URL: BeyondTrust Cloud Privilege Broker

Log Guide: Sample Logs by Log Type

Parser Details¶

Log Format: Syslog

Expected Normalization Rate: 90-100%

Data Label: BEYONDTRUST_CPB

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field	UDM Field
AccessPolicyAdded	target.resource.name
AccessPolicyAdded	target.resource.id
Account	target.user.userid
ActionType	security_result.action_details
AgentID	principal.user.userid
AgentVer	metadata.product_version
Asset	target.resource.name
Asset	target.resource.id
AuditID	metadata.product_log_id
Category	about.labels.key.Category
ChangeReasonCD	about.labels.key.ChangeReasonCD
Description	target.group.group_display_name
Details	security_result.summary
DomainName	target.administrative_domain
EventName	metadata.product_event_type
GroupName	target.group.group_display_name
IPAddress	target.ip
LogID	metadata.product_log_id
ManagedAccount	target.user.userid
ObjectID	about.labels.key.ObjectID
ObjectType	about.labels.key.ObjectType
Operation	security_result.action_details
OS	principal.platform_version
PasswordHistory	security_result.summary
RoleAdded	principal.resource.name
RoleAdded	principal.resource.id
ServerName	target.administrative_domain
Source	principal.resource.name
Source	principal.resource.id
Source	principal.hostname
SourceHost	principal.hostname
SourceIP	principal.ip
SystemName	target.group.product_object_id
SystemName	security_result.summary
User	principal.user.userid
UserID	target.user.userid
UserName	principal.user.user_display_name

Product Event Types¶

eventname	UDM Event Classification
AccountManagement	USER_CHANGE_PASSWORD
Add	USER_CREATION
Administrator	SETTING_UNCATEGORIZED
all others	GENERIC_EVENT
Assign	USER_UNCATEGORIZED
Copy	SETTING_UNCATEGORIZED
Delete	USER_DELETION
DomainManagement	USER_UNCATEGORIZED
Edit	USER_CHANGE_PERMISSIONS
Login	USER_UNCATEGORIZED
Logout	USER_UNCATEGORIZED
Managed	USER_CHANGE_PASSWORD
Read	USER_RESOURCE_ACCESS
Requestor	USER_CREATION

Log Sample¶

Jun 12 02:54:39 10.1.1.1 Agent Desc:  Agent ID: AppAudit Agent Ver:  Category: PMM Login Source Host:  Event Desc:  Event Name: Login OS:  Event Severity: 0 Source IP: 10.1.1.45 Event Subject: 3sda36 Event Type: 0 User: user Workgroup Desc:  Workgroup ID:  Workgroup Location:  AuditID: 13355 ActionType: Login SystemName: PMM Login AppUserID: 3sda36 CreateDate: 6/12/2022 2:54:19 AM UserName: user IPAddress: 10.1.1.45 User Name: user

Sample Parsing¶

metadata.event_timestamp = "2022-06-12T06:54:39Z"
metadata.event_type = "USER_UNCATEGORIZED"
metadata.vendor_name = "BeyondTrust"
metadata.product_name = "Cloud Priv Broker"
metadata.product_event_type = "Login"
metadata.ingested_timestamp = "2022-06-12T02:59:11.742309Z"
principal.user.userid = "user"
principal.user.user_display_name = "user"
principal.ip = "10.1.1.45"
principal.asset.ip = "10.1.1.45"
target.ip = "10.1.1.45"
target.asset.ip = "10.1.1.45"
about.labels.key = "Category"
about.labels.value = "PMM Login"
security_result.action_details = "Login"
extensions.auth.type = "SSO"
extensions.auth.mechanism = "USERNAME_PASSWORD"

Parser Alerting¶

This product currently does not have any Parser-based Alerting

Rules¶

Coming Soon