Forum Discussion
How to integrate Beyond Trust Logs With Sentinel
Hi All,
How to integrate Beyond Trust Logs With Sentinel, do we have a data connector? As checked, there is not data connector for this.
please let me know and also what are the logging level required at beyond trust side.
BeyondTrust is a company with multiple products.
I've recently had to write Function Apps to pull their event logs from Privileged Remote Access and it was really tough going... dependent on the product logs you want from PRA. Session Recordings could only be retrieved in XML and the Syslog API doesn't have time filtering capability, so you get a single zip with a couple of months of event records every time the API is polled. What was particularly frustrating was that the timestamp in API pulled syslog doesn't contain the year of the event.. all requiring custom coding and filtering to translate.
PRA does have other options with syslog appliances etc (none were suitable for the environment I'm working in). It is a challenge to get a FunctionApp working properly - but if you are a confident scripter its achievable with the Reporting API https://docs.beyondtrust.com/pra/docs/reporting.BeyondTrust has a native connector to Azure Sentinel and pushes directly to the Sentinel workspace, what is missing are the analysis rules once the data is in Sentinel. The documentation to establish the connection is in the BeyondTrust documentation and is really simple.
I have integrated through Syslog however developing a parser is a pain
I am not familiar with Beyond Trust but if they have an API you can call, you can use the Microsoft Sentinel Codeless Connector to obtain the data. Create a codeless connector for Microsoft Sentinel | Microsoft Learn Unsure what would be required on the Beyond Trust side.
