Documentation

SIEM connections

What are SIEM connections?

A SIEM connection refers to the relationship or integration between a Security Information and Event Management (SIEM) system and the endpoints in your network.

How are they useful to my organization?

SIEM connections provide a centralized and automated way to monitor, detect, analyze, and respond to security threats across your network.

Add a new Elasticsearch SIEM connection

Note that, at present, the IO log data sent to Elasticsearch only includes the standard output sent by the secured task. We expect to include standard input and standard error data in subsequent versions.

  1. Click Menu button > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. In the SIEM Connections panel, click Add Connection.
    The Create New SIEM Connection page displays.
  3. On the Create New SIEM Connection page, select Elasticsearch from the SIEM Connection Type drop-down list.
  4. Enter a connection Name.
  5. Enter the SIEM URL.
  6. Optionally, select the option to Verify certificate.
    Select this option if using an unknown signer (for example, if a self-signed certificate is in use).
  7. Expand the Elasticsearch section.
  8. Select a Credential Option (either Username and password or API Key) and enter the required information.
  9. Optionally, enter a CloudID to define the instance location.

    ℹ️

    Note

    You can define the Elasticsearch instance location using two methods within EPM Cloud for Linux:

    • Directly specify the URL: This specifies the location of Elasticsearch but contains no information about the location of Kibana.
    • Provide a CloudID: This encodes the locations of both Elasticsearch and Kibana. Only connections using CloudID can identify the location to deploy the Kibana dashboard.
  10. Click Test Settings.
  11. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Add a new Logstash SIEM connection

  1. Click Menu button > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. In the SIEM Connections panel, click Add Connection.
    The Create New SIEM Connection page displays.
  3. On the Create New SIEM Connection page, select Logstash from the SIEM Connection Type drop-down list.
  4. Enter a connection Name.
  5. Enter the SIEM URL.
  6. Optionally, select the option to Verify certificate.
    Select this option if using an unknown signer (for example, if a self-signed certificate is in use).
  7. Expand the Logstash Connection Details section.
  8. Enter the Username and password.
  9. Click Test Settings.
  10. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Add a Splunk Cloud SIEM connection

Use Splunk Cloud and Splunk Enterprise with EPM-L to read data from EPM-L, including event log and I/O logs.

Note that, at present, the IO log data sent to Splunk Cloud only includes the standard output sent by the secured task. We expect to include standard input and standard error data in subsequent versions.

By default, two indexes and one HTTP Event Collector (HEC) are created on the Splunk Cloud system. The names of the objects are fixed:

  • beyondtrust-epml-ecs-eventlog for event logs
  • beyondtrust-epml-ecs-iolog for IO logs
  • beyondtrust-epml-ecs-collector for the HEC

Creating these objects requires a Splunk user with sc_admin privileges; this might not be ideal in all environments. Therefore, you can manually create the indexes and HEC in the Splunk Cloud and add this information to EPM-L.

Prerequisites

  • Splunk Cloud instance
  • Allowlist the Splunk Cloud search-api to use the unified search feature. The Splunk Cloud search-api allowlist requires an entry of 0.0.0.0/0. In your Splunk Cloud instance, go to Configure IP allow lists using Splunk Web.

Add Splunk Cloud connection details with SIEM connection

  1. Click Menu button > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. In the SIEM Connections panel, click Add Connection.
    The Create New SIEM Connection page displays.
  3. On the Create New SIEM Connection page, select Splunk Cloud from the SIEM Connection Type drop-down list.
  4. Add the name and URL for the Splunk instance. The name can be freely defined, but the URL should conform to the Splunk Cloud REST API format: https://{stack}.splunkcloud.com:8089 where {stack} is the name of the customer's stack assigned by Splunk Cloud.
  5. Optionally, select the option to Verify certificate.
    Select this option if using an unknown signer (for example, if a self-signed certificate is in use).
  6. Expand Splunk Connection Details.
    • Username and Password: Add the credentials to authenticate to the Splunk instance. The credential requires a user with sc_admin permissions unless you check Index and HEC objects created or add connection details with EPM-L Settings.
    • Index and HEC Objects created: Select this check box to add the names of the indexes and event collector if you already created the objects in Splunk.
      • Event Log Index Name:
      • IO Log Index Name:
      • HEC Name:

  7. Click Test Settings.
  8. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and Splunk Cloud user permissions and try again. If the user selected Index and HEC Objects created, the Splunk credential requires additional capabilities over those for an ordinary user:
    • edit_token_http for the Splunk Cloud Victoria Experience
    • dmc_deploy_apps and dmc_deploy_token_http for the Splunk Cloud Classic Experience.

Add Splunk Cloud connection details with EPM-L Settings

An alternative method to create a connection is using EPM-L settings.

You must first create the indexes and HEC in Splunk Cloud before setting up the connection using this method.

  • splunkeventlogindexname: The name of the customer-created index for event log records.
  • splunkiologindexname: The name of the customer-created index for IO logs.
  • splunkhttpcollectorurl: The URL to the customer-created HEC to which EPM-L will send event logs and IO logs. The URL is in the format:
    https://http-inputs-{stack}.splunkcloud.com
    where {stack} is the name of the customer's stack assigned by Splunk Cloud.
  • splunkhttpcollectortoken: Retrieve the token by copying the HEC's token from the Splunk Cloud console page to the Clipboard and then pasting into this field.

After entering these values, click SAVE to send the values to EPM-L.

Consider the following before selecting this method to create a connection between EPM-L and Splunk Cloud:

  • EPM-L cannot validate the correctness of the specified HEC.
  • You cannot search the event log and IO log index data using the EPM-L unified search feature.

Edit a SIEM connection

  1. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. Locate your configured SIEM connection from the list.
  3. Click the SIEM connection name.
    The Edit SIEM Connection page displays.
  4. Modify the connection Name, URL, certificate verification check, and any of the connection details.
  5. Click Test Settings.
  6. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Delete a SIEM connection

❗️

WARNING

Deleting a SIEM connection is an unrecoverable operation.

  1. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. Locate your configured SIEM connection from the list.
  3. Click the SIEM connection name.
    The Edit SIEM Connection page displays.
  4. Click Delete.
    A confirmation message displays.
  5. Click OK.
    The connection is deleted.

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.