DocumentationRelease Notes
Documentation

SIEM connections | EPM-L

Suggest Edits

What are SIEM connections?

A SIEM connection refers to the relationship or integration between a Security Information and Event Management (SIEM) system and the endpoints in your network.

How are they useful to my organization?

SIEM connections provide a centralized and automated way to monitor, detect, analyze, and respond to security threats across your network.

Add a new Elasticsearch SIEM connection

Note that, at present, the IO log data sent to Elasticsearch only includes the standard output sent by the secured task. We expect to include standard input and standard error data in subsequent versions.

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  3. In the SIEM Connections panel, click Add Connection.
    The Create New SIEM Connection page displays.
  4. On the Create New SIEM Connection page, select Elasticsearch from the SIEM Connection Type drop-down list.
  5. Enter a connection Name.
  6. Enter the SIEM URL.
  7. Optionally, select the option to Verify certificate.
    Select this option if using an unknown signer (for example, if a self-signed certificate is in use).
  8. Expand the Elasticsearch section.
  9. Select a Credential Option (either Username and password or API Key) and enter the required information.
  10. Optionally, enter a CloudID to define the instance location.

    ℹ️

    You can define the Elasticsearch instance location using two methods within EPM for Linux:

    • Directly specify the URL: This specifies the location of Elasticsearch but contains no information about the location of Kibana.
    • Provide a CloudID: This encodes the locations of both Elasticsearch and Kibana. Only connections using CloudID can identify the location to deploy the Kibana dashboard.
  11. Click Test Settings.
  12. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Add a new Logstash SIEM connection

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. Click Menu button > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  3. In the SIEM Connections panel, click Add Connection.
    The Create New SIEM Connection page displays.
  4. On the Create New SIEM Connection page, select Logstash from the SIEM Connection Type drop-down list.
  5. Enter a connection Name.
  6. Enter the SIEM URL.
  7. Optionally, select the option to Verify certificate.
    Select this option if using an unknown signer (for example, if a self-signed certificate is in use).
  8. Expand the Logstash Connection Details section.
  9. Enter the Username and password.
  10. Click Test Settings.
  11. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Add a Splunk Cloud SIEM connection

Use Splunk Cloud and Splunk Enterprise with EPM Cloud for Linux to read data from EPM-L, including event log and I/O logs.

Two Splunk indexes are provided in this implementation:

  • beyondtrust-epml-ecs-eventlog for event logs
  • beyondtrust-epml-ecs-iolog for IO logs

The index names cannot be changed.

Prerequisites

  • Splunk Cloud instance
  • Allowlist the Splunk Cloud search-api to use the unified search feature. The Splunk Cloud search-api allowlist requires an entry of 0.0.0.0/0. In your Splunk Cloud instance, go to Configure IP allow lists using Splunk Web.

Connect to Splunk without a SIEM connection

Adding Splunk connectivity via a SIEM connection requires Splunk permissions to create the indexes and HTTP Event Collector (HEC) token within Splunk from EPM-L.

The workaround, which is the best practice, is for the Splunk administrator to create the indexes and HEC token prior to their use in EPM-L. This method has two minor drawbacks:

  • The user must obtain the HEC token
  • The EPM-L Unified Search feature requires a SIEM connection. As an alternative to the Unified Search, you can use raw Splunk queries to search event log and IO log data.

To connect with Splunk without the SIEM connection:

  1. In the Splunk Cloud UI, retrieve the HEC token from the Settings > Data Inputs > HTTP Event Collector page.
  2. On the HTTP Event Collector page, locate your HEC (for example, beyondtrust-epml-ecs-collector) and click Copy to copy the HEC token to the clipboard. Enter the token, along with other necessary information, into standard EPM-L settings.
  3. Go to EPM-L, select Editor View and navigate to the Splunk-related settings, as shown:
Splunk settings in EPM-L
  1. Copy the HEC token into splunkhttpcollectortoken, and enter appropriate values for splunkeventlogindexname, splunkiologindexname and splunkhttpcollectorurl.
    The splunkhttpcollectorurl uses the form https://http-inputs-{stack}.splunkcloud.com, where {stack} should be replaced with the name of your stack, e.g., beyondtrust as above, or your company name.
  2. Click Save to validate the settings and send them to EPM-L.

📘

While the above assumes events and IO logs will be sent to Splunk, it is also possible to deliver events without IO logs.

To do this, leave the splunkiologindexname field blank, and ensure the siemdatatypes setting does not include iologs as an option.

If you prefer using the SIEM connection, then proceed to the next section. Otherwise, your EPM-L system should be configured to deliver events and (if desired) IO logs to Splunk.

Add Splunk connection details

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  3. In the SIEM Connections panel, click Add Connection.
    The Create New SIEM Connection page displays.
  4. On the Create New SIEM Connection page, select Splunk or Splunk Cloud from the SIEM Connection Type drop-down list.
  5. Add the name and URL for the Splunk instance.
  6. Optionally, select the option to Verify certificate.
    Select this option if using an unknown signer (for example, if a self-signed certificate is in use).
  7. Expand Splunk Connection Details and add the credentials to authenticate to the Splunk instance.
  8. Click Test Settings.
  9. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Edit a SIEM connection

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  3. Locate your configured SIEM connection from the list.
  4. Click the SIEM connection name.
    The Edit SIEM Connection page displays.
  5. Modify the connection Name, URL, certificate verification check, and any of the connection details.
  6. Click Test Settings.
  7. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Delete a SIEM connection

🛑

WARNING

Deleting a SIEM connection is an unrecoverable operation.

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  3. Locate your configured SIEM connection from the list.
  4. Click the SIEM connection name.
    The Edit SIEM Connection page displays.
  5. Click Delete.
    A confirmation message displays.
  6. Click OK.
    The connection is deleted.

Updated 4 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.