Ingesting logs and data requires a Cortex XDR Pro per TB license.
If you use BeyondTrust Privilege Management Cloud, you can take advantage of Cortex XDR investigation and detection capabilities by forwarding your logs to Cortex XDR . This enables Cortex XDR to help you expand visibility into computer, activity, and authorization requests in the organization, correlate and detect access violations, and query BeyondTrust Endpoint Privilege Management logs using XQL Search.
As soon as Cortex XDR starts to receive logs, Cortex XDR can analyze your logs in XQL Search and you can create new Correlation Rules.
To integrate your logs, you first need to configure SIEM settings and an AWS S3 Bucket according to the specific requirements provided by BeyondTrust. You can then configure data collection in Cortex XDR by configuring an Amazon S3 data collector for a generic log type using the Beyondtrust Cloud ECS log format.
Before you begin configuring data collection verify that you are using BeyondTrust Privilege Management Cloud version 21.6.339 or later.
Configure BeyondTrust Privilege Management Cloud collection in Cortex XDR.
Configure SIEM settings and an AWS S3 Bucket according to the requirements provided in the BeyondTrust documentation.
Ensure that when you add the AWS S3 bucket in the PMC and set the SIEM settings, you select ECS - Elastic Common Schema as the SIEM Format.
Configure BeyondTrust logs collection with Cortex XDR using an Amazon S3 data collector for generic data.
Ensure your Amazon S3 data collector is configured with the following settings.
Log Type—Select Generic to configure your log collection to receive generic logs from Amazon S3.
Log Format—Select the log format type as Beyondtrust Cloud ECS.
For a Log Format set to Beyondtrust Cloud ECS, the following fields are automatically set and not configurable.
After Cortex XDR begins receiving data from BeyondTrust Privilege Management Cloud, you can use XQL Search to search your logs using the
beyondtrust_privilege_management_rawdataset that you configured when setting up your Amazon S3 data collector.