Ingest Logs from BeyondTrust Privilege Management Cloud - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Extend Cortex XDR visibility into logs from BeyondTrust Privilege Management Cloud.

Note

Ingesting logs and data requires a Cortex XDR Pro per GB license.

If you use BeyondTrust Privilege Management Cloud, you can take advantage of Cortex XDR investigation and detection capabilities by forwarding your logs to Cortex XDR . This enables Cortex XDR to help you expand visibility into computer, activity, and authorization requests in the organization, correlate and detect access violations, and query BeyondTrust Endpoint Privilege Management logs using XQL Search.

As soon as Cortex XDR starts to receive logs, Cortex XDR can analyze your logs in XQL Search and you can create new Correlation Rules.

To integrate your logs, you first need to configure SIEM settings and an AWS S3 Bucket according to the specific requirements provided by BeyondTrust. You can then configure data collection in Cortex XDR by configuring an Amazon S3 data collector for a generic log type using the Beyondtrust Cloud ECS log format.

Before you begin configuring data collection verify that you are using BeyondTrust Privilege Management Cloud version 21.6.339 or later.

Configure BeyondTrust Privilege Management Cloud collection in Cortex XDR.

  1. Configure SIEM settings and an AWS S3 Bucket according to the requirements provided in the BeyondTrust documentation.

    Ensure that when you add the AWS S3 bucket in the PMC and set the SIEM settings, you select ECS - Elastic Common Schema as the SIEM Format.

  2. Configure BeyondTrust logs collection with Cortex XDR using an Amazon S3 data collector for generic data.

    Ensure your Amazon S3 data collector is configured with the following settings.

    • Log Type—Select Generic to configure your log collection to receive generic logs from Amazon S3.

    • Log Format—Select the log format type as Beyondtrust Cloud ECS.

      Note

      For a Log Format set to Beyondtrust Cloud ECS, the following fields are automatically set and not configurable.

      • VendorBeyondtrust

      • ProductPrivilege Management

      • CompressionUncompressed

  3. After Cortex XDR begins receiving data from BeyondTrust Privilege Management Cloud, you can use XQL Search to search your logs using the beyondtrust_privilege_management_raw dataset that you configured when setting up your Amazon S3 data collector.