Documentation

SIEM connections

Suggest Edits

What are SIEM connections?

A SIEM connection refers to the relationship or integration between a Security Information and Event Management (SIEM) system and the endpoints in your network.

How are they useful to my organization?

SIEM connections provide a centralized and automated way to monitor, detect, analyze, and respond to security threats across your network.

Add a new Elasticsearch SIEM connection

  1. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. In the SIEM Connections panel, click Add Connection.
    The Create New SIEM Connection page displays.
  3. On the Create New SIEM Connection page, select Elasticsearch from the SIEM Connection Type drop-down list.
  4. Enter a connection Name.
  5. Enter the SIEM URL.
  6. Optionally, select the option to Verify certificate.
    Select this option if using an unknown signer (for example, if a self-signed certificate is in use).
  7. Expand the Elasticsearch section.
  8. Select a Credential Option (either Username and password or API Key) and enter the required information.
  9. Optionally, enter a CloudID to define the instance location.

    ℹ️

    Note

    You can define the Elasticsearch instance location using two methods within EPM Cloud for Linux:

    • Directly specify the URL: This specifies the location of Elasticsearch but contains no information about the location of Kibana.
    • Provide a CloudID: This encodes the locations of both Elasticsearch and Kibana. Only connections using CloudID can identify the location to deploy the Kibana dashboard.
  10. Click Test Settings.
  11. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Add a new Logstash SIEM connection

  1. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. In the SIEM Connections panel, click Add Connection.
    The Create New SIEM Connection page displays.
  3. On the Create New SIEM Connection page, select Logstash from the SIEM Connection Type drop-down list.
  4. Enter a connection Name.
  5. Enter the SIEM URL.
  6. Optionally, select the option to Verify certificate.
    Select this option if using an unknown signer (for example, if a self-signed certificate is in use).
  7. Expand the Logstash Connection Details section.
  8. Enter the Username and password.
  9. Click Test Settings.
  10. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Add a Splunk Cloud SIEM connection

Use Splunk Cloud and Splunk Enterprise with EPM Cloud for Linux to read data from EPM-L, including event log and I/O logs.

Two Splunk indexes are provided in this implementation:

  • beyondtrust-epml-ecs-eventlog for event logs
  • beyondtrust-epml-ecs-iolog for IO logs

The index names cannot be changed.

Prerequisites

  • Splunk Cloud instance
  • Allowlist the Splunk Cloud search-api to use the unified search feature. The Splunk Cloud search-api allowlist requires an entry of 0.0.0.0/0. In your Splunk Cloud instance, go to Configure IP allow lists using Splunk Web.

Add Splunk connection details

  1. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. In the SIEM Connections panel, click Add Connection.
    The Create New SIEM Connection page displays.
  3. On the Create New SIEM Connection page, select Splunk or Splunk Cloud from the SIEM Connection Type drop-down list.
  4. Add the name and URL for the Splunk instance.
  5. Optionally, select the option to Verify certificate.
    Select this option if using an unknown signer (for example, if a self-signed certificate is in use).
  6. Expand Splunk Connection Details, and add the credentials to authenticate to the Splunk instance.
  7. Click Test Settings.
  8. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Edit a SIEM connection

  1. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. Locate your configured SIEM connection from the list.
  3. Click the SIEM connection name.
    The Edit SIEM Connection page displays.
  4. Modify the connection Name, URL, certificate verification check, and any of the connection details.
  5. Click Test Settings.
  6. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Delete a SIEM connection

❗️

WARNING

Deleting a SIEM connection is an unrecoverable operation.

  1. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. Locate your configured SIEM connection from the list.
  3. Click the SIEM connection name.
    The Edit SIEM Connection page displays.
  4. Click Delete.
    A confirmation message displays.
  5. Click OK.
    The connection is deleted.

Updated 26 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.