DocumentationAPI ReferenceRelease Notes
Log In
Documentation

SIEM settings

Suggest Edits

Configure SIEM settings to send audit event data to an accessible SIEM provider.

ℹ️

Note

There can only be one SIEM tool configured. If you choose to add details for a new SIEM tool, existing settings data will be lost.

Events are queued and sent in batches in one-minute intervals. This is not configurable. A folder is created where the batches are saved. You can open and download the batch file, which stores the event data in JSON format.

Starting in EPM 23.1, the ECS mappings are updated for SIEM integrations.

If you previously configured SIEM settings and selected the ECS format, then there are two ECS format menu items: ECS - Elastic Common Schema and ECS - Elastic Common Schema (Deprecated). To update to the new ECS schema, select ECS - Elastic Common Schema, and then click Validate Settings.

ℹ️

Note

For a list of supported events in 23.1 and later, see EPM ECS events.

Event types

Events include computer, activity, and authorization requests. Events are sent in the selected format (CIM or ECS).

ℹ️

Note

For SIEM integrations using the CIM format or ECS - Elastic Common Schema (Deprecated), we only support a subset of all event types (see the table below).

The following events are logged by Endpoint Privilege Management:

Event IDDescription
100Process has started with admin rights added to token.
101Process has been started from the shell context menu with admin rights added to token.
103Process has started with admin rights dropped from token.
104Process has been started from the shell context menu with admin rights dropped from token.
106Process has started with no change to the access token (passive mode).
107Process has been started from the shell context menu with no change to the access token (passive mode).
109Process has started with user’s default rights enforced.
110Process has started from the shell context menu with user’s default rights enforced.
112Process requires elevated rights to run.
113Process has started with Custom Token applied.
114Process has started from the shell context menu with user’s Custom Token applied.
116Process execution was blocked.
118Process started in the context of the authorizing user.
119Process started from the shell menu in the context of the authorizing user.
120Process execution was canceled by the user.
199Process execution was blocked, the maximum number of challenge / response failures was exceeded.

Configure AWS S3 bucket

You must configure the S3 bucket details before you can configure the SIEM integration in EPM. In AWS, set up the bucket and access to the bucket. This includes:

  • Create a bucket. When creating the bucket be sure to note the bucket name and region. You need to enter the information when configuring the settings in EPM.
  • Create an access policy. When creating the access policy, the permissions required for the integration include: PutObject, ListAllMyBuckets, GetBucketAcl, and GetBucketLocation.
  • Add a user. When attaching a user to a policy, be sure to select Programmatic access as the access type and Attach existing policies directly as the permission type. Copy the Access ID and secret access key to a file; you need to enter the details when configuring the settings in EPM.

ℹ️

Note

For more information, see the following AWS documentation:

Create your first S3 bucket

Creating IAM policies

Creating an IAM user in your AWS account

List contents of buckets

Add the AWS S3 bucket in EPM

  1. Select Configuration, and then select SIEM Settings.
  2. Select Enable SIEM Integration to turn on the feature.
  3. From the **Integration Type** list, select S3
  4. Enter the details for your storage site:
    • Access Key ID: Enter the value created when you added the user.
    • Secret Access Key: Enter the value created when you added the user.
    • Bucket: Enter the name of the S3 bucket.
    • Region: Select or search for the name of the region where your storage bucket resides.
  5. Select the data format: CIM - Common Information Model or ECS - Elastic Common Schema.
  6. Select Server-Side Encryption to encrypt files sent to the S3 bucket using the default AWS encryption key.
  7. Click Validate Settings to test the connection to your storage site.
  8. Click Save Settings.

If you no longer want the SIEM integration active, click Enable SIEM Integration to turn the feature off.

Add Splunk to EPM

  1. Select Configuration, and then select SIEM Settings.
  2. Select Enable SIEM Integration to turn on the feature.
  3. From the Integration Type list, select Splunk.
  4. Enter the details for your Splunk configuration:
    • Hostname. Do not include https:// in the hostname.
    • Index
    • Token
  5. Select the data format: CIM - Common Information Model or ECS - Elastic Common Schema.
  6. Click Validate Settings to test the connection to Splunk.
  7. Click Save Settings.

Add Microsoft Sentinel to EPM

  1. Select Configuration, and then select SIEM Settings.
  2. Select Enable SIEM Integration to turn on the feature.
  3. From the Integration Type list, select Sentinel.
  4. Enter the details for your Sentinel configuration:
    • Workspace ID: Enter the Sentinel workspace ID. In Sentinel, the workspace ID is located in this path: Settings > Workspace Settings > Agents Management.
    • Workspace Key: Enter the primary key. In Sentinel, the workspace key is located in this path: Settings > Workspace Settings > Agents Management.
    • Custom Log Table Name: The table is listed under the Custom Logs category in Azure Sentinel. A _CL suffix is automatically appended to the end of the custom log table name. A custom log is created if the table name does not exist.
  5. Select the data format: CIM - Common Information Model or ECS - Elastic Common Schema.
  6. Click Validate Settings to test the connection to Sentinel.
  7. Click Save Settings.

Add QRadar to EPM

We recommend using our integration app to integrate EPM and QRadar.

ℹ️

Note

For more information, see Integrate BeyondTrust EPM + IBM QRadar.

To configure QRadar in EPM:

  1. Select Configuration, and then select SIEM Settings.
  2. Select Enable SIEM Integration to turn on the feature.
  3. From the Integration Type list, select QRADAR.
  4. Enter the details for your QRadar configuration:
    • Hostname. Do not include https:// in the hostname.
    • Port
    • Cert: This is the client certificate required when sending events to a syslog server using mutual TLS (mTLS) authentication.
    • Key: This is the mTLS client certificate private key. The private key must be generated as PKCS #8.
  5. Select the data format: CIM - Common Information Model or ECS - Elastic Common Schema.
  6. Click Validate Settings.
  7. Click Save Changes to confirm and save.

You must create an API account so QRadar can make API calls to EPM. The account requires read-only access to Audit and Reporting APIs.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.