DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Splunk DB Connect

Suggest Edits

Splunk DB Connect is an application from Splunk Enterprise you can install in your Splunk Enterprise instance. Splunk DB Connect retrieves events from the database you define, such as BeyondTrust Endpoint Privilege Management Reporting, and inserts the events into Splunk Enterprise.

You can use Splunk DB Connect to query the Export Views for Endpoint Privilege Management.

You can use SQL authentication or any of the default Endpoint Privilege Management Reporting accounts to authenticate with the BeyondTrust database. The default accounts are Report Reader, Event Parser, and Data Admin.

You can retrieve events from your endpoints or your Windows event collector node instead.

Install DB Connect

Prerequisites

  • Splunk Enterprise 6.4.0 or later
  • Java Platform, Standard Edition Development Kit (JDK) from Oracle. JDK is required. The JRE alone is not sufficient.
  • Java Database Connection (JDBC) to connect to databases

📘

For more information, see the following:

Java downloads

Deploy and Use Splunk DB Connect

Install on Splunk Enterprise

  1. Open your Splunk Enterprise instance, and click App: Search & Reporting from the top menu bar.
  2. If DB Connect is installed, it appears in the list. Otherwise, click Find More Apps.
  3. Type DB Connect in the search box if Splunk can connect to the internet. Follow the onscreen instructions to install DB Connection. Alternatively, you can download DB Connect from the Splunk store to install manually.
  4. Click App: Search & Reporting > Manage Apps to install DB Connect from a separate installer.
  5. Click Install app from file and browse to the location of DB Connect you downloaded.
  6. Click Upload and follow the onscreen instructions to install DB Connect.
  7. After DB Connect is installed, you can access it from the App: Search & Reporting top menu.

Configure Splunk DB Connect

  1. Click App: Search & Reporting > Splunk DB Connect.
  2. Click Configuration > Settings.
  3. On the General tab, configure the path to your JRE installation on the machine hosting Splunk. The JVM Options and Task Server Port are configured by Splunk.
  4. Click Save to confirm your settings.
  5. Click the Databases tab, and then the Identities tab.
  6. Click New Identity. This is the identity (user) Splunk uses to authenticate to the BeyondTrust database to export events.
    • Enter an Identity Name you will use to identify the user.

  • You can either use SQL authentication as shown here, or you can use Windows authentication and any of the Endpoint Privilege Management Reporting accounts that are set up by the installer: ReportReader, Event Parser and Data Admin.

  • Click Save to confirm your identity.

ℹ️

Note

Use the default permission Splunk Enterprise provides on the Permissions tab.

Create a new Splunk connection

  1. Click the Connections tab. This is where you configure the database you will connect to.
    • Enter a Connection Name. This is to identify the connection in Splunk.
    • Select the Identity you created from the dropdown list.
    • Select the Connection Type, MS SQL Server Using MS Generic Driver.
    • Enter the host IP address of your database server. Leave the port as the default 1433.
    • Enter the Default Database as the one containing your Endpoint Privilege Management Reporting data.
    • You can choose to configure the additional options if they are relevant for your environment.
    • Click Save to save your connection. This will also validate the connection.

ℹ️

Note

Use the default permission Splunk Enterprise provides on the Permissions tab.

  1. Click the Data Lab tab and click New Input on the right-hand side.
  • Enter a Name for you to identify the new Input by. You can also enter a Description if required.
  • Leave the App dropdown list as Splunk DB Connect.
  • Select your Connection from the dropdown menu. This also validates it.
  1. Click Continue. This allows you to choose and preview a table. You can now import the Export Views into Splunk. These are ExportDefendpointStarts, ExportDefendpointLogins, ExportPrivilegedAccountProtection, and ExportProcesses. This example uses the ExportDefendpointStarts view.
  • Select Rising Column. This ensures the events from the Reporting database are incremented rather than retrieving the same events repeatedly.
  • You can manually type a SQL query into the field or select the Checkpoint Column and the Checkpoint Value. Use a ? as a placeholder in your SQL query for the Checkpoint Value as you set this manually.
  1. Click Execute to search for the specified events in the Reporting database. This does not insert them into Splunk.

You can modify the SQL query to filter your results. This will help limit the data imported into Splunk Enterprise and your associated costs. For example, this SQL query imports events where the Endpoint Privilege Management version is 4.3.349.0 only.

SELECT *
FROM exportdefendpointstarts
WHERE sessionid > ?
AND AgentVersion='4.0.349.0'
ORDER BY sessionid asc
  1. Click Execute to search for the events in the Reporting database. These are displayed below.
  2. Click Continue. Set parameters for the input here if required.
  3. Click Continue. Each event imported into Splunk has the metadata you configure here as part of it. You can configure a new Sourcetype from the Settings menu on the top-right if required.
  4. Click Save to confirm your Input Type and start importing events into Splunk.

Repeat steps 7 to 11 for each of the Export Views.

Work with data in Splunk Enterprise

When using Splunk DB Connect to import data, BeyondTrust provides four denormalized views:

  • ExportDefendpointStarts
  • ExportLogons
  • ExportPrivilegedAccountProtection
  • ExportProcesses

The views allow you to import BeyondTrust audit data into SIEM systems such as Splunk Enterprise. Each view has a rising column allowing the SIEM system to track the data already imported.

ExportProcesses

Returns the Process Control events such as elevating or blocking applications.

The columns include:

  • ApplicationDescription
  • Publisher
  • ProductVersion
  • UserName
  • HostName
  • WorkstyleName

Also includes event action flags:

  • Elevated
  • Blocked
  • Passive

ProcessID is the rising column and ProcessStartTime is the timestamp.

ExportLogons

Returns the Logon events in the database.

  • LogonTime

  • UserName

  • HostName

  • WorkstyleName

    LogonID is the rising column and LogonTime is the timestamp.

ExportDefendpointStarts

Returns the Endpoint Privilege Management started events in the database.

The columns include:

SessionStartTime

HostName

AgentVersion

OS

SessionID is the rising column and SessionStartTime is the timestamp.

ExportPrivilegedAccountProtection

Returns the Endpoint Privilege Management events in the database.

The columns include:

  • TimeGenerated
  • Access
  • WorkstyleName
  • UserName
  • HostName
  • ApplicationDescription

ID is the rising column and TimeGenerated is the timestamp.

ℹ️

Note

For more information about the fields for each Endpoint Privilege Management export view, see the next section.

Export views

When using Splunk DB Connect to import data, BeyondTrust provides four denormalized export views for Endpoint Privilege Management events:

  • ExportDefendpointStarts
  • ExportDefendpointLogons
  • ExportPrivilegedAccountProtection
  • ExportProcesses

Each of the views can be queried in Splunk. For each view, the following data is sent to Splunk. These Export Views are correct as of Endpoint Privilege Management Reporting 4.5.

ExportDefendpointStarts

Column_nameTypeLengthIndexDescriptionExample
SessionIDbigint 3Ascending Identity1
SessionGUIDuniqueidentifier  UUID of the session5CD221E9-CEB5-441D-B380-CB266400B320
SessionStartTimedatetime  Time session started2017-01-03 10:24:00.000
SessionEndTimedatetime  Always NULL (not used)NULL
HostSIDnvarchar2001Host SIDS-1-21-123456789-123456789-1635717638-390614945
AgentVersionnvarchar20 Endpoint Privilege Management Client Version4.0.384.0
ePOModeint  1 if DP client is in ePO mode. 0 otherwise.1
CertificateModeint  Certificate Mode0
PolicyAuditModeint  Policy Audit Mode7
DefaultUILanguageint  Locale Identifier of UI Language2057
DefaultLocaleint  Locale Identifier of Locale2057
SystemDefaultTimezoneint  Not set so always 00
ChassisTypenvarchar40 Chassis TypeOther
HostNamenvarchar10242*Host nameEGHostWin1
HostNameNETBIOSnvarchar152*Host NETBIOSEGHOSTWIN1
OSnvarchar20 OS Version6.3
OSProductTypeint4 OS Product Type.1
PlatformTypenvarchar10 Platform TypeWindows
HostDomainSIDnvarchar200 Host Domain SIDS-1-21-123456789-123456789-1635717638
HostDomainNamenvarchar1024 Host DomainEGDomain
HostDomainNameNETBIOSnvarchar15 Host Domain NETBIOSEGDOMAIN

ExportDefendpointLogons

Column_nameTypeLengthIndexDescriptionExample
LogonIDbigint 3Ascending Identity1
LogonGUIDuniqueidentifier  UUID of the logon819EF606-F9B6-40BE-9C0C-A033A34EC4F8
HostSIDnvarchar2001Host SIDS-1-21-123456789-123456789-1635717638-390614945
UserSIDnvarchar200 User SIDS-1-21-123456789-123456789-1635717638-1072059836
LogonTimedatetime  Logon Date/Time2017-01-03 10:24:00.000
IsAdminbit  1 if an admin, 0 otherwise0
IsPowerUserbit  1 if a power user, 0 otherwise0
UILanguageint  Locale Identifier of the UI Language1033
Localeint  Locale Identifier of the Locale2057
UserNamenvarchar1024 User nameEGUser1
UserDomainSIDnvarchar200 User Domain SIDS-1-21-123456789-123456789-1635717638
UserDomainNamenvarchar1024 User DomainEGDomain
UserNameNETBIOSnvarchar15 User NETBIOSEGDOMAIN
ChassisTypenvarchar40 Chassis TypeDocking Station
HostNamenvarchar10242*Host nameEGHostWin1
HostNameNETBIOSnvarchar152*Host NETBIOSEGHOSTWIN1
OSnvarchar20 OS Version6.3
OSProductTypeint  OS Product Type1
PlatformTypenvarchar10 Platform TypeWindows
HostDomainSIDnvarchar200 Host Domain SIDS-1-21-123456789-123456789-1635717638
HostDomainNamenvarchar1024 Host DomainEGDomain
HostDomainNameNETBIOSnvarchar15 Host Domain NETBIOSEGDOMAIN
PolicyNamenvarchar1024 Policy NameEventGen Test Policy
WorkstyleNamenvarchar1024 Workstyle nameEventGen Test Workstyle

ExportPrivilegedAccountProtection

Column_nameTypeLengthIndexDescriptionExample
IDbigint 1Ascending Identity1
TimeGenerateddatetime  Event Generation Date/Time 
CommandLinenvarchar1024 Command Line
PrivilegedGroupNamenvarchar200 Privileged Group NameAdministrators
PrivilegedGroupRIDnvarchar10 Privileged Group Relative Identifier544
Accessnvarchar200 Group Access DetailsAdd Member, Remove Member, List Members, Read Information
PolicyGUIDuniqueidentifier  Policy UUIDE7654321-AAAA-5AD2-B954-12342918D604
PolicyNamenvarchar1024 Policy NameEventGen Test Policy
WorkstyleNamenvarchar1024 Workstyle nameEventGen Test Workstyle
FileNamenvarchar255 File name
ApplicationHashnvarchar40 Application SHA1921CA2B3293F3FCB905B24A9536D8525461DE2A3
ProductCodenvarchar1024 Product Code
UpgradeCodenvarchar1024 Upgrade Code
FileVersionnvarchar1024 File Version
MD5nvarchar32 MD5 Hash3279476E39DE235B426D69CFE8DEBF55
UserSIDnvarchar200 User SIDS-1-21-123456789-123456789-1635717638-1072059836
UserNamenvarchar1024 User NameEGUser1
UserDomainSIDnvarchar200 User Domain SIDS-1-21-123456789-123456789-1635717638
UserDomainNamenvarchar1024 User DomainEGDomain
UserNameNETBIOSnvarchar15 User Domain NETBIOSEGDOMAIN
ChassisTypenvarchar40 Chassis TypeOther
HostSIDnvarchar200 Host SIDS-1-21-123456789-123456789-1635717638-390614945
HostNamenvarchar1024 Host NameEGHostWin1
HostNameNETBIOSnvarchar15 Host NETBIOSEGHOSTWIN1
OSnvarchar20 OS Version6.3
OSProductTypeint  OS Product Type1
HostDomainSIDnvarchar200 Host Domain SIDS-1-21-123456789-123456789-1635717638
HostDomainNamenvarchar1024 Host DomainEGDomain
HostDomainNameNETBIOSnvarchar15 Host domain NETBIOSEGDOMAIN
FileOwnerUserSIDnvarchar200 File Owner SIDS-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
FileOwnerUserNamenvarchar1024 File OwnerNT SERVICE\TrustedInstaller
FileOwnerDomainNamenvarchar1024 File Owner DomainNT SERVICE
ApplicationURInvarchar1024 URI of a macOS applicationcom.apple.preference.datetime
ApplicationDescriptionnvarchar2048 Application descriptionlusrmgr.msc
FirstDiscovereddatetime  First time app was seen2017-01-03 10:25:50.110
FirstExecuteddatetime  First time app was executed2017-01-03 10:24:00.000
PlatformTypenvarchar10 Platform TypeWindows
ProductNamenvarchar1024 Product name
ProductVersionnvarchar1024 Product version
Publishernvarchar1024 PublisherMicrosoft Windows
TrustedOwnerbit  1 if a trusted owner, 0 otherwise1

ExportProcesses

Column_nameTypeLengthIndexDescriptionExample
ProcessIDbigint 4Ascending Identity1
ProcessGUIDuniqueidentifier 2UUID of the process98C99D96-6DFA-4C95-9A87-C8665C166286
EventNumberint  Event Number. See List of Events section.153
TimeGenerateddatetime  Event generation date/time2017-02-20 13:11:11.217
TimeReceiveddatetime  Event received at ER date/time2017-02-20 13:16:28.047
EventGUIDuniqueidentifier  Event UUID9F8EB86C-AA0D-42B9-8720-166FAB91F1ED
PIDint  Process ID8723
ParentPIDint  Parent Process ID142916
CommandLinenvarchar 1024Command Line"C:\cygwin64\bin\sh.exe"
FileNamenvarchar 255File Namec:\cygwin64\bin\sh.exe
ProcessStartTimedatetime 1Date/Time Process Started2017-02-20 13:11:11.217
Reasonnvarchar 1024Reason entered by user
ClientIPV4nvarchar 15Client IP Address10.0.9.58
ClientNamenvarchar 1024Client NameL-CNU410DJJ7
UACTriggeredbit  1 if UAC shown0
ParentProcessUniqueIDuniqueidentifier  Parent process UUIDC404C7F5-3A93-4C0E-81BC-9902D220C21E
COMCLSIDuniqueidentifier  COM CLSIDNULL
COMAppIDuniqueidentifier  COM Application IDNULL
COMDisplayNamenvarchar1024 COM Display Name
ApplicationTypenvarchar4 Application Typesvc
TokenGUIDuniqueidentifier  UUID of token in policyF30A3824-27AF-4D69-9125-C78E44764AC1
Executedbit  1 if executed, 0 otherwise1
Elevatedbit  1 if elevated, 0 otherwise1
Blockedbit  1 if blocked, 0 otherwise0
Passivebit  1 if passive, 0 otherwise0
Cancelledbit  1 if cancelled, 0 otherwise0
DropAdminbit  1 if admin rights dropped, 0 otherwise0
EnforceUsersDefaultbit  1 if user default permissions were enforced, 0 otherwise0
Custombit  1 if Custom Token, 0 otherwise0
SourceURLnvarchar2048 Source URL
AuthorizationChallengenvarchar9 Challenge Response authorization code
WindowsStoreAppNamenvarchar200 Windows Store application name (appx app type only)
WindowsStoreAppPublishernvarchar200 Windows Store application publisher (appx app type only)
WindowsStoreAppVersionnvarchar200 Window Store application version (appx app type only)
DeviceTypenvarchar40 Device TypeFixed Disk
ServiceNamenvarchar1024 Service name (svc events only)
ServiceDisplayNamenvarchar1024 Service Display Name (svc app type only)
PowerShellCommandnvarchar1024 PowerShell Command (ps1/rpsc/rpss app types only)
ApplicationPolicyDescriptionnvarchar1024 Policy Description
SandboxGUIDuniqueidentifier  Sandbox UUID (sandbox events only)NULL
SandboxNamenvarchar1024 Sandbox Name (sandbox events only)NULL
BrowseSourceURLnvarchar2048 Sandbox browse source (sandbox events only)
BrowseDestinationURLnvarchar2048 Sandbox destination source (sandbox events only)
Classificationnvarchar200 Sandbox classification (sandbox events only)Private (Local)
IEZoneTagnvarchar200 IE Zone Tag
OriginSandboxnvarchar40 Origin Sandbox
OriginIEZonenvarchar40 Origin IE Zone
TargetSandboxnvarchar40 Target Sandbox
TargetIEZonenvarchar40 Target IE Zone
AuthRequestURInvarchar1024 Authorization request URL (osx challenge/response only)
PlatformVersionnvarchar10 Platform Version
ControlAuthorizationbit  1 is Endpoint Privilege Management authorized this macOS application0
TrustedApplicationNamenvarchar1024 Name of the trusted applicationMicrosoft Word
TrustedApplicationVersionnvarchar1024 Version of the trusted application11.1715.14393.0
ParentProcessFileNamenvarchar1024 Parent process file nameGoogle Chrome
ApplicationHashnvarchar40 SHA1 of the applicationC22FF10511ECCEA1824A8DE64B678619C21B4BEE
ProductCodenvarchar1024 Product Code
UpgradeCodenvarchar1024 Upgrade Code
FileVersionnvarchar1024 File Version
MD5nvarchar32 MD5 hash of the app6E641CAE42A2A7C89442AF99613FE6D6
TokenAssignmentGUIDuniqueidentifier  UUID of the token assignment in the policyE7654321-BBBB-5AD2-B954-1234DDC7A89D
TokenAssignmentIsShellbit  Token assignment is for shell1
UserSIDnvarchar200 User SIDS-1-21-123456789-123456789-16357176381125883508
UserNamenvarchar1024 User NameEGUser18
UserDomainSIDnvarchar200 User Domain SIDS-1-21-123456789-123456789-1635717638
UserDomainNamenvarchar1024 User DomainEGDomain
UserDomain NameNETBIOSnvarchar15 User Domain NETBIOSEGDOMAIN
ChassisTypenvarchar40 Chassis TypeLaptop
HostSIDnvarchar200 Host SIDS-1-21-123456789-123456789-1635717638775838649
HostNamenvarchar10243*Host NameEGHostWin18
HostNameNETBIOSnvarchar153*Host NETBIOSEGHOSTWIN18
OSnvarchar  OS Version10.0
OSProductTypeint  OS Product Type 
HostDomainSIDnvarchar200 Host Domain SIDS-1-21-123456789-123456789-1635717638
HostDomainNamenvarchar1024 Host DomainEGDomain
HostDomain NameNETBIOSnvarchar15 Host Domain NETBIOSEGDOMAIN
AuthUserSIDnvarchar200 Authorizing User SID
AuthUserNamenvarchar1024 Authorizing User
AuthUserDomainSIDnvarchar200 Authorizing User Domain SID
AuthUserDomainNamenvarchar1024 Authorizing User Domain
AuthUserDomain NameNETBIOSnvarchar15 Authorizing User Domain NETBIOS
FileOwnerUserSIDnvarchar200 File Owner SIDS-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
FileOwnerUserNamenvarchar1024 File OwnerNT SERVICE\TrustedInstaller
FileOwnerDomainSIDnvarchar200 File Owner Domain SIDS-1-5-80
FileOwnerDomainNamenvarchar1024 File Owner DomainNT SERVICE
FileOwnerDomain NameNETBIOSnvarchar15 File Owner Domain NETBIOS
ApplicationURInvarchar1024 URI of the macOS Applicationcom.apple.preference.datetime
ApplicationDescriptionnvarchar2048 Application Descriptionc:\cygwin64\bin\sh.exe
FirstDiscovereddatetime  Time application first seen2017-02-07 09:14:39.413
FirstExecuteddatetime  Time application first executed2017-02-07 09:07:00.000
PlatformTypenvarchar10 Platform TypeWindows
ProductNamenvarchar1024 Product NameADelRCP Dynamic Link Library
ProductVersionnvarchar1024 Product Version15.10.20056.167417
Publishernvarchar1024 PublisherAdobe Systems, Incorporated
TrustedOwnerbit  1 if a trusted owner, 0 otherwise0
MessageGUIDuniqueidentifier  UUID of the message in the policy00000000-0000-0000-0000-000000000000
MessageNamenvarchar1024 Name of the message in the policyBlock Message
MessageTypenvarchar40 Message TypePrompt
AppGroupGUIDuniqueidentifier  UUID of the Application Group in the Policy47E4A204-FC06-428B-8E73-1E36E3A65430
AppGroupNamenvarchar1024 Application Group Name in the PolicyTest Policy.test
PolicyIDbigint  Internal ID of the Policy2
PolicyGUIDuniqueidentifier  UUID of the PolicyE7654321-AAAA-5AD2-B954-12342918D604
PolicyNamenvarchar1024 Policy NameEventGen Test Policy
WorkstyleNamenvarchar1024 Workstyle NameEventGen Test Workstyle
ContentFileNamenvarchar255 Content File Namec:\users\user.wp-epo-win7-64\downloads\con29 selectable feestable (1).pdf
ContentFileDescriptionnvarchar1024 Content File Description
ContentFileVersionnvarchar1024 Content File Version
ContentOwnerSIDnvarchar200 Content Owner SIDS-1-21-123456789-123456789-1635717638-1072059836
ContentOwnerNamenvarchar1024 Content OwnerEGUser1
ContentOwnerDomainSIDnvarchar200 Content Owner Domain SIDS-1-5-21-2217285736-120021366-3854014904
ContentOwnerDomainNamenvarchar1024 Content Owner DomainBEYONDTRUSTTEST58\BEYONDTRUSTTEST58.QA
ContentOwnerDomain NameNetBIOSnvarchar15 Content Owner Domain NETBIOSBEYONDTRUSTTEST58
UninstallActionnvarchar20 The uninstall action carried outChange/Modify
TokenNamenvarchar20 The name of the event actionBlocked
TieStatusint  Threat Intelligence Exchange status for the reputation of this application0
TieScoreint  Threat Intelligence Exchange score for the application 
VtStatusint  VirusTotal status for the reputation of this application 
RuleScriptFileNamenvarchar200 The name in config of the script associated with the ruleGet-McAfeeGTIReputation
RuleScriptNamenvarchar200 The name of the script set by interfaceGet-McAfeeGTIReputation
RuleScriptVersionnvarchar20 Version number of the script.1.1.0
RuleScriptPublishernvarchar200 Publisher that signed the scriptBeyondTrust
RuleScriptRuleAffectedbit  True when the script has set all settable rule properties; otherwise falseTrue
RuleScriptStatusnvarchar100 Success OR Why the configured script didn't run or set rule propertiesSuccess
RuleScriptResultnvarchar1024 Result of the script runScript ran successfully
RuleScriptOutputnvarchar1024 The output of the script 
AuthorizationSourcenvarchar200 The Authorizing User Credential Source 
AuthMethodsnvarchar1024 The type of authentication method selected in the Policy Editor.Possible values: Identity Provider, Password, Challenge Response, Smart Card and User Request. Multiple values can be present and will be comma separated.
IdPAuthenticationnvarchar400 The credential provided when adding an Identity Provider authorization message in the Policy Editor. 

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.