Documentation

SIEM Connections

Suggest Edits

What are SIEM connections?

A SIEM connection refers to the relationship or integration between a Security Information and Event Management (SIEM) system and the endpoints in your network.

How are they useful to my organization?

SIEM connections provide a centralized and automated way to monitor, detect, analyze, and respond to security threats across your network.

Add a new Elasticsearch SIEM connection

  1. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. In the SIEM Connections panel, click Add Connection.
    The Create New SIEM Connection page displays.
  3. On the Create New SIEM Connection page, select Elasticsearch from the SIEM Connection Type drop-down list.
  4. Enter a connection Name.
  5. Enter the SIEM URL.
  6. Optionally, select the option to Verify certificate.
    Select this option if using an unknown signer (for example, if a self-signed certificate is in use).
  7. Expand the Elasticsearch section.
  8. Select a Credential Option (either Username and password or API Key) and enter the required information.
  9. Optionally, enter a CloudID to define the instance location.

    ℹ️

    Note

    You can define the Elasticsearch instance location using two methods within EPM Cloud for Linux:

    • Directly specify the URL: This specifies the location of Elasticsearch but contains no information about the location of Kibana.
    • Provide a CloudID: This encodes the locations of both Elasticsearch and Kibana. Only connections using CloudID can identify the location to deploy the Kibana dashboard.
  10. Click Test Settings.
  11. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Add a new Logstash SIEM connection

  1. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. In the SIEM Connections panel, click Add Connection.
    The Create New SIEM Connection page displays.
  3. On the Create New SIEM Connection page, select Logstash from the SIEM Connection Type drop-down list.
  4. Enter a connection Name.
  5. Enter the SIEM URL.
  6. Optionally, select the option to Verify certificate.
    Select this option if using an unknown signer (for example, if a self-signed certificate is in use).
  7. Expand the Logstash Connection Details section.
  8. Enter the Username and password.
  9. Click Test Settings.
  10. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Edit a SIEM connection

  1. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. Locate your configured SIEM connection from the list.
  3. Click the SIEM connection name.
    The Edit SIEM Connection page displays.
  4. Modify the connection Name, URL, certificate verification check, and any of the connection details.
  5. Click Test Settings.
  6. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Delete a SIEM connection

❗️

WARNING

Deleting a SIEM connection is an unrecoverable operation.

  1. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. Locate your configured SIEM connection from the list.
  3. Click the SIEM connection name.
    The Edit SIEM Connection page displays.
  4. Click Delete.
    A confirmation message displays.
  5. Click OK.
    The connection is deleted.

Updated 17 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.