BEYONDTRUST ENDPOINT PRIVILEGE MANAGEMENT¶
About¶
BeyondTrust Endpoint Privilege Management (EPM) is a solution used to elevate a user's privileges to applications as defined by IT and security teams---and nothing more. Instead of giving administrative rights to employee, third-party, and vendor users whenever privilege is requested, privileges are distributed on an "as-needed" basis. This substantially shrinks the attack surface by implementing the principle of least privilege (POLP) without denying users the ability to complete their job-related tasks.
Product Details¶
Product Type: Privileged Account Monitoring
Product Tier: Tier III
Integration URL: BeyondTrust Technical Documentation and Support
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 95%-100%
Data Label: BEYONDTRUST_ENDPOINT
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
_timestamp_t | metadata.event_timestamp |
agent_id_g | intermediary.resource.product_object_id |
agent_version_s | metadata.product_version |
EPMWinMac_Configuration_Application_Description_s | principal.resource_ancestors.name |
EPMWinMac_Configuration_Application_Type_s | principal.resource_ancestors.resource_subtype |
EPMWinMac_Event_Action_s | security_result.action_details |
event_action_s | metadata.product_event_type |
event_code_s | security_result.detection_fields |
event_id_g | metadata.product_log_id |
events_CompanyName_s | principal.user.company_name |
events_ConnectionId_s | principal.user.attribute.labels |
events_SalesforceId_s | principal.user.attribute.labels |
events_ServiceName_s | principal.application |
file_hash_sha1_s | target.file.sha1 |
file_hash_sha256_s | target.file.sha256 |
file_Owner_DomainName_s | target.domain.name |
file_owner_s | target.resource.name |
file_path_s | target.file.full_path |
file_pe_file_version_s | target.platform_version |
file_ProductVersion_s | target.platform_patch_level |
headers_http_version_s | network.application_protocol |
headers_http_version_s | network.tls.version |
headers_request_method_s | network.http.method |
host_ip_s | principal.ip |
host_name_s | principal.hostname |
host_os_type_s | principal.platform |
process_command_line_s | target.process.command_line |
process_executable_s | target.process.file.full_path |
process_parent_executable_s | target.process_ancestors.file.full_path |
process_parent_pid_d | target.process_ancestors.pid |
process_pid_d | target.process.pid |
TenantId | principal.group.product_object_id |
user_DomainNetBIOSName_s | principal.domain.name |
user_id_s | principal.user.windows_sid |
user_name_s | principal.user.user_display_name |
Product Event Types¶
Event | UDM Event Classification |
---|---|
user-logon | USER_LOGIN |
all others | GENERIC_EVENT |
Log Sample¶
{"value":[{"TenantId":"12345678-9d74-4f40-a94b-edd014b85651","SourceSystem":"RestAPI","MG":"","ManagementGroupName":"","TimeGenerated":"2024-02-05T17:03:18.2971768Z","Computer":"","RawData":"","EPMWinMac_PrivilegedGroup_Access_s":"","EPMWinMac_PrivilegedGroup_Name_s":"","EPMWinMac_PrivilegedGroup_RID_s":"","EPMWinMac_ServiceControl_Service_Action_s":"","EPMWinMac_ServiceControl_Service_DisplayName_s":"","EPMWinMac_ServiceControl_Service_Name_s":"","process_HostedFile_code_signature_valid_b":null,"process_HostedFile_code_signature_exists_b":null,"process_HostedFile_name_s":"","process_HostedFile_directory_s":"","process_HostedFile_uid_s":"","process_HostedFile_drive_letter_s":"","process_HostedFile_attributes_s":"","process_HostedFile_created_t":null,"process_HostedFile_extension_s":"","process_working_directory_s":"","process_parent_command_line_s":"","process_user_DomainNetBIOSName_s":"","file_code_signature_valid_b":null,"file_code_signature_exists_b":null,"file_name_s":"","file_directory_s":"","file_uid_s":"","file_drive_letter_s":"","file_attributes_s":"","file_created_t":null,"file_extension_s":"","EPMWinMac_Configuration_Rule_Action_s":"","EPMWinMac_Configuration_Name_s":"","EPMWinMac_Configuration_Application_Identifier_g":"","EPMWinMac_StoreApp_Publisher_s":"","EPMWinMac_StoreApp_Name_s":"","EPMWinMac_StoreApp_Version_s":"","event_outcome_s":"","host_architecture_s":"","host_os_ProductType_s":"","host_os_platform_s":"","host_os_name_s":"","host_os_version_s":"","host_os_family_s":"","host_os_full_s":"","host_ChassisType_s":"","host_uptime_d":null,"agent_ephemeral_id_g":"","EPMWinMac_Installer_Action_s":"","process_HostedFile_SourceUrl_s":"","process_HostedFile_ZoneTag_s":"","labels_related_item_id_g":"","EPMWinMac_Configuration_Message_UserReason_s":"","client_ip_s":"","client_Name_s":"","process_HostedFile_pe_file_version_s":"","process_HostedFile_pe_description_s":"","EPMWinMac_COM_AppID_g":"","EPMWinMac_COM_CLSID_g":"","EPMWinMac_COM_DisplayName_s":"","process_HostedFile_code_signature_subject_name_s":"","process_HostedFile_hash_md5_g":"","process_HostedFile_hash_sha1_s":"","process_HostedFile_hash_sha256_s":"","process_HostedFile_pe_product_s":"","process_HostedFile_Owner_DomainName_s":"","process_HostedFile_Owner_Identifier_s":"","process_HostedFile_Owner_DomainNetBIOSName_s":"","process_HostedFile_Owner_Name_s":"","process_HostedFile_Owner_DomainIdentifier_s":"","process_HostedFile_owner_s":"","process_HostedFile_ProductVersion_s":"","EPMWinMac_Installer_UpgradeCode_g":"","EPMWinMac_Installer_ProductCode_g":"","file_SourceUrl_s":"","file_ZoneTag_s":"","process_HostedFile_path_s":"","process_HostedFile_DriveType_s":"","EPMWinMac_ActiveX_CLSID_g":"","EPMWinMac_ActiveX_Version_s":"","EPMWinMac_ActiveX_Codebase_s":"","ecs_version_s":"","event_created_t":null,"event_reason_s":"","event_category_s":"","event_kind_s":"","event_provider_s":"","event_type_s":"","user_email_s":"","EPMWinMac_AuthorizingUser_DomainNetBIOSName_s":"","EPMWinMac_AuthorizingUser_Identifier_s":"","EPMWinMac_AuthorizingUser_DomainName_s":"","EPMWinMac_AuthorizingUser_Name_s":"","EPMWinMac_AuthorizingUser_DomainIdentifier_s":"","EPMWinMac_Session_Administrator_b":null,"EPMWinMac_Session_Locale_s":"","EPMWinMac_Session_UILanguage_s":"","EPMWinMac_Session_WindowsSessionId_s":"","EPMWinMac_Session_Identifier_g":"","EPMWinMac_Session_PowerUser_b":null,"tags_s":"[\"AgentEventAudit\"]","_timestamp_t":"2024-02-05T17:00:46Z","process_executable_s":"c:\\windows\\system32\\process.exe","process_start_t":"2024-02-05T17:00:46Z","process_entity_id_g":"12345678-6d25-49d9-afcf-3c2b0c9217cb","process_user_id_s":"S-1-5-21-000000000-000000000-000000000-000000","process_user_domain_s":"Domain1","process_user_name_s":"User1","process_user_DomainIdentifier_s":"S-1-5-21-606747145-562591055-839522115","process_parent_pid_d":17200,"process_parent_entity_id_g":"12345678-cd35-469d-ba85-f81a6eb1ce11","process_parent_executable_s":"c:\\users\\User1\\appdata\\local\\temp\\i1707152132\\windows\\resource\\jre\\bin\\process_ancestor.exe","process_ElevationRequired_b":false,"process_pid_d":7564,"process_command_line_s":"process.exe -show","event_id_g":"12345678-62e7-4ad4-9b14-a27c29b6cc57","event_code_s":"101","event_action_s":"process-start-add-admin-on-demand","user_DomainNetBIOSName_s":"Domain1","user_domain_s":"Domain1","user_id_s":"S-1-5-21-000000000-000000000-000000000-000000","user_name_s":"User1","user_DomainIdentifier_s":"S-1-5-21-000000000-000000000-000000000","events_RequestId_s":"0123456789ABC:00000001","events_ActionName_s":"BT.EventGateway.Controllers.AuditEventController.Post (EventGateway)","events_CompanyName_s":"Company1","events_ConnectionId_s":"0123456789ABC","events_ServiceName_s":"EventGateway","events_MachineName_s":"localhost","events_ActionId_g":"12345678-06b3-4b8e-af84-0f08c0f7e445","events__t_t":"2024-02-05T17:03:11.0064337Z","events_TenantId_g":"12345678-b4a5-d397-d9b7-4f3cef428174","events_CorrelationId_g":"12345678-2eb7-4697-a3e2-3548ef1d4c8e","events_AssemblyVersion_s":"23.9.581.0","events_RequestPath_s":"/events/v1/audit","events_ThreadId_d":62,"events_SalesforceId_s":"0123456789ABCDEFGH","events__i_s":"2b2bccdf","events_ProcessId_d":6258,"file_code_signature_subject_name_s":"Microsoft Windows","file_path_s":"c:\\windows\\system32\\process.exe","file_hash_md5_g":"","file_hash_sha1_s":"sha1","file_hash_sha256_s":"sha256","file_pe_product_s":"Internet Explorer","file_pe_file_version_s":"11.00.22621.1 (WinBuild.160101.0800)","file_pe_description_s":"IE Per-User Initialization Utility","file_Owner_DomainName_s":"Domain2","file_Owner_Identifier_s":"S-1-5-80-000000000-0000000000-0000000000-0000000000-0000000000","file_Owner_DomainNetBIOSName_s":"Domain2","file_Owner_Name_s":"TrustedInstaller","file_Owner_DomainIdentifier_s":"S-1-5-80","file_owner_s":"TrustedInstaller","file_ProductVersion_s":"11.00.22621.1","file_DriveType_s":"Fixed Disk","headers_http_version_s":"HTTP/1.1","headers_request_path_s":"/","headers_traceparent_s":"00-27515957e300fe61661f0cd06c5d1065-cf58fea85d81f797-00","headers_content_type_s":"application/json","headers_request_method_s":"POST","headers_http_host_s":"pmc-infra-logstash:9611","headers_content_length_s":"199316","related_hash_s":"[\"sha1\",\"sha256\"]","related_hosts_s":"[\"Hostname1\"]","related_ip_s":"[]","related_user_s":"[\"User1\"]","EPMWinMac_Configuration_Token_Identifier_g":"12345678-27af-4d69-9125-c78e44764ac1","EPMWinMac_Configuration_Token_Name_s":"Add Full Admin (Required for Installers)","EPMWinMac_Configuration_RevisionNumber_s":"622","EPMWinMac_Configuration_ApplicationGroup_Description_s":"This will match for every application type Privilege Management supports","EPMWinMac_Configuration_ApplicationGroup_Identifier_g":"12345678-a490-4efc-80f1-482c5361ba5e","EPMWinMac_Configuration_ApplicationGroup_Name_s":"(Default) Any Application","EPMWinMac_Configuration_Message_Description_s":"Confirmation before elevating privileges, user must select reason","EPMWinMac_Configuration_Message_Type_s":"Prompt","EPMWinMac_Configuration_Message_Authorization_ChallengeCode_s":"","EPMWinMac_Configuration_Message_Authorization_ResponseStatus_s":"","EPMWinMac_Configuration_Message_AuthMethods_s":"[]","EPMWinMac_Configuration_Message_Identifier_g":"12345678-a096-4a21-9395-fc9f101c6851","EPMWinMac_Configuration_Message_Name_s":"Allow Message (Select Reason)","EPMWinMac_Configuration_Identifier_g":"12345678-eb77-4199-b98a-ba2e9734e02c","EPMWinMac_Configuration_Rule_OnDemand_b":true,"EPMWinMac_Configuration_Rule_Identifier_g":"12345678-468f-4569-9863-dfa36d3f060d","EPMWinMac_Configuration_RuleScript_Outcome_RuleAffected_b":false,"EPMWinMac_Configuration_Workstyle_Description_s":"Workstyle that applies to users who have a lot of flexibility","EPMWinMac_Configuration_Workstyle_Identifier_g":"12345678-67e3-4ad8-b585-a97ad05c409b","EPMWinMac_Configuration_Workstyle_Name_s":"High Flexibility","EPMWinMac_Configuration_Application_Description_s":"Any Executable","EPMWinMac_Configuration_Application_Type_s":"exe","EPMWinMac_SchemaVersion_s":"4.4.0","EPMWinMac_Event_Action_s":"Self-Elevated","EPMWinMac_Event_Type_s":"Process","EPMWinMac_TenantId_g":"12345678-b4a5-d397-d9b7-4f3cef428174","EPMWinMac_GroupId_g":"12345678-9ae2-4e43-b271-9e6e7ac51440","host_id_s":"S-1-5-21-000000000-000000000-000000000-000000","host_os_type_s":"windows","host_domain_s":"Domain1","host_name_s":"Hostname1","host_ip_s":"[]","host_DomainIdentifier_s":"S-1-5-21-000000000-000000000-000000000","host_hostname_s":"Hostname1","host_DomainNetBIOSName_s":"USG","host_NetBIOSName_s":"Hostname1","agent_id_g":"12345678-868f-4a46-ae85-0bcf55802cfb","agent_version_s":"23.3.148.0","Type":"BT_PM_CL","_ResourceId":""}]}
Sample Parsing¶
metadata.product_log_id = "12345678-62e7-4ad4-9b14-a27c29b6cc57"
metadata.product_version = "23.3.148.0"
metadata.product_event_type = "process-start-add-admin-on-demand"
metadata.timestamp = "2024-02-05T17:00:46Z"
principal.hostname = "Hostname1"
principal.domain.name = "Domain1"
principal.user.user_display_name = "User1"
principal.user.attribute.labels[0].key = "ConnectionId"
principal.user.attribute.labels[0].value = "0123456789ABC"
principal.user.attribute.labels[1].key = "SalesforceId"
principal.user.attribute.labels[1].value = "0123456789ABCDEFGH"
principal.user.windows_sid = "S-1-5-21-000000000-000000000-000000000-000000"
principal.group.product_object_id = "12345678-9d74-4f40-a94b-edd014b85651"
principal.user.company_name = "Company1"
principal.application = "EventGateway"
principal.platform = "WINDOWS"
principal.resource_ancestors.resource_subtype = "exe"
principal.resource_ancestors.name = "Any Executable"
target.domain.name = "Domain2"
target.process.pid = "7564"
target.process.file.full_path = "c:\\windows\\system32\\process.exe"
target.process.command_line = "process.exe -show"
target.process_ancestors.pid = "17200"
target.process_ancestors.file.full_path = "c:\\users\\User1\\appdata\\local\\temp\\i1707152132\\windows\\resource\\jre\\bin\\process_ancestor.exe"
target.file.sha256 = "sha256"
target.file.sha1 = "sha1"
target.file.full_path = "c:\\windows\\system32\\process.exe"
target.platform_version = "11.00.22621.1 (WinBuild.160101.0800)"
target.platform_patch_level = "11.00.22621.1"
target.resource.name = "TrustedInstaller"
intermediary.resource.product_object_id = "12345678-868f-4a46-ae85-0bcf55802cfb"
security_result.detection_fields[0].key = "eventCode"
security_result.detection_fields[0].value = "100"
security_result.action_details = "Self-Elevated"
network.application_protocol = "HTTP"
network.tls.version = "HTTP/1.1"