BeyondTrust (Bomgar)¶
About¶
BeyondTrust unifies the industry’s broadest set of privileged access capabilities with centralized management, reporting, and analytics, enabling leaders to take decisive and informed actions to defeat attackers.
The BeyondTrust Privileged Access Management platform stands out for its flexible design that simplifies integrations, enhances user productivity, and maximizes IT and security investments.
Product Details¶
Vendor URL: BeyondTrust (Bomgar)
Product Type: Privileged Account Monitoring
Product Tier: Tier III
Integration Method: Syslog
Integration URL: BeyondTrust (Bomgar)
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 100%
Data Label: BOMGAR
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| eventid | metadata.product_event_type |
| eventname | metadata.description |
| nvps.auditid,nvps.logid | metadata.product_log_id |
| nvps.clienthost | principal.hostname |
| nvps.details,nvps.systemname,eventdesc | security_result.summary |
| nvps.domainname,nvps.servername | target.administrative_domain |
| nvps.groupname,nvps.description,workgroupdesc | target.group.group_display_name |
| nvps.objectid,nvps.objecttype,category | about.labels.value |
| nvps.operation,nvps.actiontype,category | security_result.action_details |
| nvps.roleadded,nvps.source | principal.resource.name |
| nvps.source,targethost | target.hostname |
| nvps.systemname | target.group.product_object_id |
| nvps.target,nvps.accesspolicyadded | target.resource.resource.name |
| nvps.userid,nvps.username,nvps.accountname,nvps.managedaccount | target.user.userid |
| os | principal.platform_version |
| product | metadata.product_product_name |
| sourceip | principal.ip |
| user,agentid | principal.user.userid |
| vendor | metadata.vendor_name |
| version | metadata.product_version |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| AccountManagement,Managed | USER_CHANGE_PASSWORD |
| Add,Requestor | USER_CREATION |
| Administrator,Copy | SETTING_UNCATEGORIZED |
| all other events | GENERIC_EVENT |
| Edit | USER_CHANGE_PERMISSIONS |
| Login,Logout,Assign,DomainManagement,Delete | USER_UNCATEGORIZED,USER_DELETION |
| Read | USER_RESOURCE_ACCESS |
Log Sample¶
{"formatVersion":"1.0", "vendor":"BeyondTrust","product":"BeyondInsight","version":"7.2.1","agentid":"agent","agentver":"7.2.1.124","category":"System","severity":"0","eventid":"agent","eventname":"Requestor","eventdesc":"System","eventdate":"Oct 05 2021 11:00:14","sourcehost":"host","sourceip":"10.233.1.108","eventsubject":"10.233.1.108","eventtype":"0","user":"208034", "nvps" : {"clienthost":"host", "eventseverity":"0", "subjectdescription":"208034", "btcategory":"System", "logid":"1823207", "logtime":"10/5/2021 11:00:14 AM", "username":"208034", "roleused":"Requestor", "objecttypeid":"9", "objecttype":"Password", "objectid":"203096", "operation":"Retrieve", "failed":"0", "target":"Domain:ACME.COM MAccount:account", "userid":"user", "ipaddress":"10.233.1.69"}}
Sample Parsing¶
metadata.product_log_id = "1823207"
metadata.event_timestamp = "2021-10-05T11:00:14Z"
metadata.event_type = "USER_CREATION"
metadata.vendor_name = "BeyondTrust"
metadata.product_name = "BeyondInsight"
metadata.product_version = "7.2.1"
metadata.product_event_type = "agent"
metadata.description = "Requestor"
principal.hostname = "host"
principal.user.userid = "208034"
principal.ip = "10.233.1.108"
principal.asset.ip = "10.233.1.108"
target.user.userid = "user"
target.resource.id = "target"
target.resource.name = "Domain:domain.COM MAccount:account"
target.resource.resource_type = "ACCESS_POLICY"
about.labels.key = "object id"
about.labels.value = "203096"
about.labels.key = "object type"
about.labels.value = "Password"
security_result.action_details = "Retrieve"
extensions.auth.type = "SSO"
extensions.auth.mechanism = "USERNAME_PASSWORD"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon