{
  "name": "beyondtrust_epm",
  "title": "BeyondTrust EPM",
  "version": "0.1.0",
  "release": "beta",
  "description": "Collect logs from BeyondTrust EPM with Elastic Agent.",
  "type": "integration",
  "download": "/epr/beyondtrust_epm/beyondtrust_epm-0.1.0.zip",
  "path": "/package/beyondtrust_epm/0.1.0",
  "icons": [
    {
      "src": "/img/beyondtrust_epm-logo.svg",
      "path": "/package/beyondtrust_epm/0.1.0/img/beyondtrust_epm-logo.svg",
      "title": "BeyondTrust EPM logo",
      "size": "32x32",
      "type": "image/svg+xml"
    }
  ],
  "conditions": {
    "kibana": {
      "version": "^8.18.0 || ^9.0.0"
    },
    "elastic": {
      "subscription": "basic"
    }
  },
  "owner": {
    "type": "elastic",
    "github": "elastic/security-service-integrations"
  },
  "categories": [
    "security"
  ],
  "signature_path": "/epr/beyondtrust_epm/beyondtrust_epm-0.1.0.zip.sig",
  "format_version": "3.3.2",
  "readme": "/package/beyondtrust_epm/0.1.0/docs/README.md",
  "license": "basic",
  "screenshots": [
    {
      "src": "/img/beyondtrust_epm-audit.png",
      "path": "/package/beyondtrust_epm/0.1.0/img/beyondtrust_epm-audit.png",
      "title": "Audit Dashboard",
      "size": "600x600",
      "type": "image/png"
    },
    {
      "src": "/img/beyondtrust-epm-event.png",
      "path": "/package/beyondtrust_epm/0.1.0/img/beyondtrust-epm-event.png",
      "title": "BeyondTrust EPM Event Dashboard",
      "size": "600x600",
      "type": "image/png"
    }
  ],
  "assets": [
    "/package/beyondtrust_epm/0.1.0/LICENSE.txt",
    "/package/beyondtrust_epm/0.1.0/changelog.yml",
    "/package/beyondtrust_epm/0.1.0/manifest.yml",
    "/package/beyondtrust_epm/0.1.0/validation.yml",
    "/package/beyondtrust_epm/0.1.0/docs/README.md",
    "/package/beyondtrust_epm/0.1.0/img/beyondtrust-epm-event.png",
    "/package/beyondtrust_epm/0.1.0/img/beyondtrust_epm-audit.png",
    "/package/beyondtrust_epm/0.1.0/img/beyondtrust_epm-logo.svg",
    "/package/beyondtrust_epm/0.1.0/data_stream/audit/manifest.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/audit/sample_event.json",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/manifest.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/sample_event.json",
    "/package/beyondtrust_epm/0.1.0/kibana/dashboard/beyondtrust_epm-20f84912-15d7-4fa5-94eb-a2c945a6d477.json",
    "/package/beyondtrust_epm/0.1.0/kibana/dashboard/beyondtrust_epm-2ed6e850-d14a-4504-940c-49eb04afe9b8.json",
    "/package/beyondtrust_epm/0.1.0/data_stream/audit/fields/base-fields.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/audit/fields/beats.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/audit/fields/ecs.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/audit/fields/fields.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/fields/base-fields.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/fields/beats.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/fields/ecs.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/fields/fields.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/audit/agent/stream/aws-s3.yml.hbs",
    "/package/beyondtrust_epm/0.1.0/data_stream/audit/agent/stream/cel.yml.hbs",
    "/package/beyondtrust_epm/0.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/agent/stream/aws-s3.yml.hbs",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/agent/stream/cel.yml.hbs",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/elasticsearch/ingest_pipeline/default.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/elasticsearch/ingest_pipeline/pipeline-file-endpoint.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/elasticsearch/ingest_pipeline/pipeline-host-infrastructure.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/elasticsearch/ingest_pipeline/pipeline-identity-user.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/elasticsearch/ingest_pipeline/pipeline-metadata-observability.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/elasticsearch/ingest_pipeline/pipeline-network-transport.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/elasticsearch/ingest_pipeline/pipeline-process.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/elasticsearch/ingest_pipeline/pipeline-service-application.yml",
    "/package/beyondtrust_epm/0.1.0/data_stream/event/elasticsearch/ingest_pipeline/pipeline-threat-security.yml"
  ],
  "policy_templates": [
    {
      "name": "beyondtrust_epm",
      "title": "BeyondTrust EPM",
      "description": "Collect logs from BeyondTrust EPM.",
      "inputs": [
        {
          "type": "cel",
          "vars": [
            {
              "name": "url",
              "type": "url",
              "title": "URL",
              "description": "Base URL of the BeyondTrust EPM instance.",
              "multi": false,
              "required": true,
              "show_user": true
            },
            {
              "name": "client_id",
              "type": "text",
              "title": "Client ID",
              "description": "Client ID obtained from BeyondTrust EPM instance.",
              "multi": false,
              "required": true,
              "show_user": true
            },
            {
              "name": "client_secret",
              "type": "password",
              "title": "Client Secret",
              "description": "Client Secret obtained from BeyondTrust EPM instance.",
              "multi": false,
              "required": true,
              "show_user": true
            },
            {
              "name": "proxy_url",
              "type": "text",
              "title": "Proxy URL",
              "description": "URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>. Please ensure your username and password are in URL encoded format.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "ssl",
              "type": "yaml",
              "title": "SSL Configuration",
              "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": "#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n"
            }
          ],
          "title": "Collect BeyondTrust EPM logs via API",
          "description": "Collecting BeyondTrust EPM logs via API."
        },
        {
          "type": "aws-s3",
          "vars": [
            {
              "name": "collect_s3_logs",
              "type": "bool",
              "title": "Collect logs via S3 Bucket",
              "description": "To collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": false
            },
            {
              "name": "access_key_id",
              "type": "password",
              "title": "Access Key ID",
              "description": "First part of access key. This parameter along with the secret_access_key parameter is required if we are not providing shared_credential_file.",
              "multi": false,
              "required": false,
              "show_user": true
            },
            {
              "name": "secret_access_key",
              "type": "password",
              "title": "Secret Access Key",
              "description": "Second part of access key. This parameter along with the access_key_id parameter is required if we are not providing shared_credential_file.",
              "multi": false,
              "required": false,
              "show_user": true
            },
            {
              "name": "region",
              "type": "text",
              "title": "[SQS] Region",
              "description": "The name of the AWS region of the end point. If this option is given it takes precedence over the region name obtained from the queue_url value.",
              "multi": false,
              "required": false,
              "show_user": true
            },
            {
              "name": "session_token",
              "type": "password",
              "title": "Session Token",
              "description": "Required when using temporary security credentials.",
              "multi": false,
              "required": false,
              "show_user": true
            },
            {
              "name": "shared_credential_file",
              "type": "text",
              "title": "Shared Credential File",
              "description": "Directory of the shared credentials file. This parameter is required if we are not providing value for the parameters - secret_access_key and access_key_id.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "credential_profile_name",
              "type": "text",
              "title": "Credential Profile Name",
              "description": "Profile name in shared credentials file.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "role_arn",
              "type": "text",
              "title": "Role ARN",
              "description": "AWS IAM Role to assume.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "default_region",
              "type": "text",
              "title": "Default AWS Region",
              "description": "Default region to query if no other region is set. Most AWS services offer a regional endpoint that can be used to make requests. Some services, such as IAM, do not support regions. If a region is not provided by any other way (environment variable, credential or instance profile), the value set here will be used.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": ""
            },
            {
              "name": "endpoint",
              "type": "text",
              "title": "Endpoint",
              "description": "URL of the entry point for an AWS web service.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "fips_enabled",
              "type": "bool",
              "title": "FIPS Enabled",
              "description": "Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "proxy_url",
              "type": "text",
              "title": "Proxy URL",
              "description": "URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>. Please ensure your username and password are in URL encoded format.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "ssl",
              "type": "yaml",
              "title": "SSL Configuration",
              "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": "#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n"
            }
          ],
          "title": "Collect Beyondtrust EPM logs via AWS S3 or AWS SQS",
          "description": "Collecting logs from Beyondtrust EPM via AWS S3 or AWS SQS."
        }
      ],
      "multiple": true,
      "deployment_modes": {
        "default": {
          "enabled": true
        },
        "agentless": {
          "enabled": true
        }
      }
    }
  ],
  "data_streams": [
    {
      "type": "logs",
      "dataset": "beyondtrust_epm.audit",
      "title": "Collect Audit logs from BeyondTrust EPM",
      "release": "beta",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "cel",
          "vars": [
            {
              "name": "initial_interval",
              "type": "text",
              "title": "Initial Interval",
              "description": "How far back to pull the logs from BeyondTrust EPM API. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "24h"
            },
            {
              "name": "interval",
              "type": "text",
              "title": "Interval",
              "description": "Duration between requests to the BeyondTrust EPM API. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "5m"
            },
            {
              "name": "page_size",
              "type": "integer",
              "title": "Page Size",
              "description": "Page size for the response of the BeyondTrust EPM API. The maximum supported page size is 200.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": 200
            },
            {
              "name": "max_executions",
              "type": "integer",
              "title": "Maximum Pages Per Interval",
              "description": "Maximum Pages Per Interval is the maximum number of pages that can be collected at each interval.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": 1000
            },
            {
              "name": "http_client_timeout",
              "type": "text",
              "title": "HTTP Client Timeout",
              "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": "30s"
            },
            {
              "name": "enable_request_tracer",
              "type": "bool",
              "title": "Enable request tracing",
              "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "description": "Tags for the data-stream.",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "beyondtrust_epm-audit"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "cel.yml.hbs",
          "title": "BeyondTrust EPM Audit Logs",
          "description": "Collect Audit logs from BeyondTrust EPM via the ActivityAudits API.",
          "enabled": false,
          "ingestion_method": "API"
        },
        {
          "input": "aws-s3",
          "vars": [
            {
              "name": "bucket_arn",
              "type": "text",
              "title": "[S3] Bucket ARN",
              "description": "ARN of the AWS S3 bucket that will be polled for list operation. It is a required parameter for collecting logs via the AWS S3 Bucket unless you set an Access Point ARN. In case both configurations are added, this one takes precedence.",
              "multi": false,
              "required": false,
              "show_user": true
            },
            {
              "name": "access_point_arn",
              "type": "text",
              "title": "[S3] Access Point ARN",
              "description": "ARN of the AWS S3 Access Point that will be polled for list operation. Mandatory if the \"Collect logs via S3 Bucket\" switch is on. It is a required parameter for collecting logs via the AWS S3 Bucket unless you set a Bucket ARN.",
              "multi": false,
              "required": false,
              "show_user": true
            },
            {
              "name": "bucket_list_prefix",
              "type": "text",
              "title": "[S3] Bucket Prefix",
              "description": "Prefix to apply for the list request to the S3 bucket.",
              "multi": false,
              "required": false,
              "show_user": true
            },
            {
              "name": "interval",
              "type": "text",
              "title": "[S3] Interval",
              "description": "Listing of the S3 bucket will be polled according to the time interval defined by bucket_list_interval config. Default value is 120 secs. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": "120s"
            },
            {
              "name": "number_of_workers",
              "type": "integer",
              "title": "[S3] Number of Workers",
              "description": "Number of workers that will process the S3 objects listed.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": 5
            },
            {
              "name": "start_timestamp",
              "type": "text",
              "title": "[S3] Start Timestamp",
              "description": "If set, only read S3 objects with last modified timestamp newer than the given timestamp. Accepts a timestamp in `YYYY-MM-DDTHH:MM:SSZ` format. For example, '2020-10-10T10:30:00Z' (UTC) or '2020-10-10T10:30:00Z+02:30' (with zone offset).",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "ignore_older",
              "type": "text",
              "title": "[S3] Ignore Older Timespan",
              "description": "If set, ignore S3 objects whose Last-Modified time is before the ignore older timespan. Timespan is checked from the current time to S3 object's Last-Modified time. Accepts a duration like `48h`, `2h30m`.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "queue_url",
              "type": "text",
              "title": "[SQS] Queue URL",
              "description": "URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS.",
              "multi": false,
              "required": false,
              "show_user": true
            },
            {
              "name": "visibility_timeout",
              "type": "text",
              "title": "[SQS] Visibility Timeout",
              "description": "The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": "300s"
            },
            {
              "name": "api_timeout",
              "type": "text",
              "title": "[SQS] API Timeout",
              "description": "The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": "120s"
            },
            {
              "name": "max_number_of_messages",
              "type": "integer",
              "title": "[SQS] Maximum Concurrent SQS Messages",
              "description": "Deprecated in agent version 8.16.0, this parameter is ignored if present, use number_of_workers instead. The maximum number of SQS messages that can be inflight at any time.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": 5
            },
            {
              "name": "file_selectors",
              "type": "yaml",
              "title": "[SQS] File Selectors",
              "description": "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global content_type and expand_event_list_from_field values are ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that do not match one of the regexes will not be processed.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "external_id",
              "type": "text",
              "title": "External ID",
              "description": "External ID to use when assuming a role in another account.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "beyondtrust_epm-audit"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "aws-s3.yml.hbs",
          "title": "BeyondTrust EPM Audit logs via AWS S3 or SQS",
          "description": "Collecting BeyondTrust EPM Audit logs via AWS S3 or SQS input.",
          "enabled": false,
          "ingestion_method": "AWS S3"
        }
      ],
      "package": "beyondtrust_epm",
      "path": "audit"
    },
    {
      "type": "logs",
      "dataset": "beyondtrust_epm.event",
      "title": "Collect Event logs from BeyondTrust EPM",
      "release": "beta",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "cel",
          "vars": [
            {
              "name": "initial_interval",
              "type": "text",
              "title": "Initial Interval",
              "description": "How far back to pull the event data from BeyondTrust EPM on first run. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "24h"
            },
            {
              "name": "interval",
              "type": "text",
              "title": "Interval",
              "description": "Duration between requests to the BeyondTrust EPM API. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "5m"
            },
            {
              "name": "operating_system",
              "type": "text",
              "title": "Operating System",
              "description": "Operating system name for which events to be collected.",
              "multi": false,
              "required": true,
              "show_user": true
            },
            {
              "name": "max_executions",
              "type": "integer",
              "title": "Maximum Pages Per Interval",
              "description": "Maximum Pages Per Interval is the maximum number of pages that can be collected at each interval. It must be greater than zero.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": 1000
            },
            {
              "name": "page_size",
              "type": "integer",
              "title": "Page Size",
              "description": "The number of records to request per page from the BeyondTrust EPM API. The maximum supported page size is 200.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": 200
            },
            {
              "name": "http_client_timeout",
              "type": "text",
              "title": "HTTP Client Timeout",
              "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": "30s"
            },
            {
              "name": "enable_request_tracer",
              "type": "bool",
              "title": "Enable request tracing",
              "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "description": "Tags for the data-stream.",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "beyondtrust_epm-event"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "cel.yml.hbs",
          "title": "BeyondTrust EPM Event Logs",
          "description": "Collect event logs from BeyondTrust EPM via the Events search API.",
          "enabled": true,
          "ingestion_method": "API"
        },
        {
          "input": "aws-s3",
          "vars": [
            {
              "name": "bucket_arn",
              "type": "text",
              "title": "[S3] Bucket ARN",
              "description": "ARN of the AWS S3 bucket that will be polled for list operation. It is a required parameter for collecting logs via the AWS S3 Bucket unless you set an Access Point ARN. In case both configurations are added, this one takes precedence.",
              "multi": false,
              "required": false,
              "show_user": true
            },
            {
              "name": "access_point_arn",
              "type": "text",
              "title": "[S3] Access Point ARN",
              "description": "ARN of the AWS S3 Access Point that will be polled for list operation. Mandatory if the \"Collect logs via S3 Bucket\" switch is on. It is a required parameter for collecting logs via the AWS S3 Bucket unless you set a Bucket ARN.",
              "multi": false,
              "required": false,
              "show_user": true
            },
            {
              "name": "bucket_list_prefix",
              "type": "text",
              "title": "[S3] Bucket Prefix",
              "description": "Prefix to apply for the list request to the S3 bucket.",
              "multi": false,
              "required": false,
              "show_user": true
            },
            {
              "name": "interval",
              "type": "text",
              "title": "[S3] Interval",
              "description": "Listing of the S3 bucket will be polled according to the time interval defined by bucket_list_interval config. Default value is 120 secs. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": "120s"
            },
            {
              "name": "number_of_workers",
              "type": "integer",
              "title": "[S3] Number of Workers",
              "description": "Number of workers that will process the S3 objects listed.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": 5
            },
            {
              "name": "start_timestamp",
              "type": "text",
              "title": "[S3] Start Timestamp",
              "description": "If set, only read S3 objects with last modified timestamp newer than the given timestamp. Accepts a timestamp in `YYYY-MM-DDTHH:MM:SSZ` format. For example, '2020-10-10T10:30:00Z' (UTC) or '2020-10-10T10:30:00Z+02:30' (with zone offset).",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "ignore_older",
              "type": "text",
              "title": "[S3] Ignore Older Timespan",
              "description": "If set, ignore S3 objects whose Last-Modified time is before the ignore older timespan. Timespan is checked from the current time to S3 object's Last-Modified time. Accepts a duration like `48h`, `2h30m`.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "queue_url",
              "type": "text",
              "title": "[SQS] Queue URL",
              "description": "URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS.",
              "multi": false,
              "required": false,
              "show_user": true
            },
            {
              "name": "visibility_timeout",
              "type": "text",
              "title": "[SQS] Visibility Timeout",
              "description": "The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": "300s"
            },
            {
              "name": "api_timeout",
              "type": "text",
              "title": "[SQS] API Timeout",
              "description": "The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": "120s"
            },
            {
              "name": "max_number_of_messages",
              "type": "integer",
              "title": "[SQS] Maximum Concurrent SQS Messages",
              "description": "Deprecated in agent version 8.16.0, this parameter is ignored if present, use number_of_workers instead. The maximum number of SQS messages that can be inflight at any time.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": 5
            },
            {
              "name": "file_selectors",
              "type": "yaml",
              "title": "[SQS] File Selectors",
              "description": "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global content_type and expand_event_list_from_field values are ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that do not match one of the regexes will not be processed.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "external_id",
              "type": "text",
              "title": "External ID",
              "description": "External ID to use when assuming a role in another account.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "beyondtrust_epm-event"
              ]
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "aws-s3.yml.hbs",
          "title": "BeyondTrust EPM Event logs via AWS S3 or SQS",
          "description": "Collecting BeyondTrust EPM Event logs via AWS S3 or SQS input.",
          "enabled": false,
          "ingestion_method": "AWS S3"
        }
      ],
      "package": "beyondtrust_epm",
      "path": "event"
    }
  ]
}
