{ "name": "beyondtrust_pra", "title": "BeyondTrust PRA", "version": "0.4.0", "release": "beta", "description": "Collect logs from BeyondTrust PRA with Elastic Agent.", "type": "integration", "download": "/epr/beyondtrust_pra/beyondtrust_pra-0.4.0.zip", "path": "/package/beyondtrust_pra/0.4.0", "icons": [ { "src": "/img/beyondtrust_pra-logo.png", "path": "/package/beyondtrust_pra/0.4.0/img/beyondtrust_pra-logo.png", "title": "BeyondTrust PRA", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.18.0 || ^9.0.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "iam", "network_security" ], "signature_path": "/epr/beyondtrust_pra/beyondtrust_pra-0.4.0.zip.sig", "format_version": "3.3.2", "readme": "/package/beyondtrust_pra/0.4.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/beyondtrust-pra-dashboard.png", "path": "/package/beyondtrust_pra/0.4.0/img/beyondtrust-pra-dashboard.png", "title": "Overview Dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/beyondtrust_pra/0.4.0/LICENSE.txt", "/package/beyondtrust_pra/0.4.0/changelog.yml", "/package/beyondtrust_pra/0.4.0/manifest.yml", "/package/beyondtrust_pra/0.4.0/validation.yml", "/package/beyondtrust_pra/0.4.0/docs/README.md", "/package/beyondtrust_pra/0.4.0/img/beyondtrust-pra-dashboard.png", "/package/beyondtrust_pra/0.4.0/img/beyondtrust_pra-logo.png", "/package/beyondtrust_pra/0.4.0/data_stream/access_session/manifest.yml", "/package/beyondtrust_pra/0.4.0/data_stream/access_session/sample_event.json", "/package/beyondtrust_pra/0.4.0/kibana/dashboard/beyondtrust_pra-7227e888-45cd-4e05-8ac3-f7d18c367bec.json", "/package/beyondtrust_pra/0.4.0/kibana/search/beyondtrust_pra-6738050a-2a9a-403a-b785-9ea93f0aff61.json", "/package/beyondtrust_pra/0.4.0/data_stream/access_session/fields/base-fields.yml", "/package/beyondtrust_pra/0.4.0/data_stream/access_session/fields/beats.yml", "/package/beyondtrust_pra/0.4.0/data_stream/access_session/fields/fields.yml", "/package/beyondtrust_pra/0.4.0/data_stream/access_session/agent/stream/input.yml.hbs", "/package/beyondtrust_pra/0.4.0/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "beyondtrust_pra", "title": "BeyondTrust PRA", "description": "Collect logs from BeyondTrust PRA.", "inputs": [ { "type": "cel", "vars": [ { "name": "url", "type": "url", "title": "URL", "description": "Base URL of BeyondTrust PRA.", "multi": false, "required": true, "show_user": true }, { "name": "client_id", "type": "text", "title": "Client ID", "description": "Client ID of BeyondTrust PRA.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "Client Secret of BeyondTrust PRA.", "multi": false, "required": true, "show_user": true }, { "name": "proxy_url", "type": "url", "title": "Proxy URL", "description": "proxy configuration in the form of https://:@:.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL config for the host, i.e. certificate_authorities, supported_protocols, verification_mode etc.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect BeyondTrust PRA logs via API", "description": "Collecting BeyondTrust PRA logs via API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "beyondtrust_pra.access_session", "title": "Access Session", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the logs from BeyondTrust PRA. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the BeyondTrust PRA API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve beyondtrust_pra.access_session fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "beyondtrust_pra-access_session" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "input.yml.hbs", "title": "Access Session logs", "description": "Collect Access Session logs from BeyondTrust PRA.", "enabled": true, "ingestion_method": "API" } ], "package": "beyondtrust_pra", "elasticsearch": { "index_template.mappings": { "dynamic_templates": [ { "_embedded_ecs-ecs_timestamp": { "mapping": { "ignore_malformed": false, "type": "date" }, "path_match": "@timestamp" } }, { "_embedded_ecs-data_stream_to_constant": { "mapping": { "type": "constant_keyword" }, "path_match": "data_stream.*" } }, { "_embedded_ecs-resolved_ip_to_ip": { "mapping": { "type": "ip" }, "match": "resolved_ip" } }, { "_embedded_ecs-forwarded_ip_to_ip": { "mapping": { "type": "ip" }, "match": "forwarded_ip", "match_mapping_type": "string" } }, { "_embedded_ecs-ip_to_ip": { "mapping": { "type": "ip" }, "match": "ip", "match_mapping_type": "string" } }, { "_embedded_ecs-x509_public_key_exponent_non_indexed_long": { "mapping": { "doc_values": false, "index": false, "type": "long" }, "path_match": "*.x509.public_key_exponent" } }, { "_embedded_ecs-port_to_long": { "mapping": { "type": "long" }, "match": "port" } }, { "_embedded_ecs-thread_id_to_long": { "mapping": { "type": "long" }, "path_match": "*.thread.id" } }, { "_embedded_ecs-status_code_to_long": { "mapping": { "type": "long" }, "match": "status_code" } }, { "_embedded_ecs-line_to_long": { "mapping": { "type": "long" }, "path_match": "*.file.line" } }, { "_embedded_ecs-priority_to_long": { "mapping": { "type": "long" }, "path_match": "log.syslog.priority" } }, { "_embedded_ecs-code_to_long": { "mapping": { "type": "long" }, "path_match": "*.facility.code" } }, { "_embedded_ecs-code_to_long": { "mapping": { "type": "long" }, "path_match": "*.severity.code" } }, { "_embedded_ecs-bytes_to_long": { "mapping": { "type": "long" }, "match": "bytes", "path_unmatch": "*.data.bytes" } }, { "_embedded_ecs-packets_to_long": { "mapping": { "type": "long" }, "match": "packets" } }, { "_embedded_ecs-public_key_exponent_to_long": { "mapping": { "type": "long" }, "match": "public_key_exponent" } }, { "_embedded_ecs-severity_to_long": { "mapping": { "type": "long" }, "path_match": "event.severity" } }, { "_embedded_ecs-duration_to_long": { "mapping": { "type": "long" }, "path_match": "event.duration" } }, { "_embedded_ecs-pid_to_long": { "mapping": { "type": "long" }, "match": "pid" } }, { "_embedded_ecs-uptime_to_long": { "mapping": { "type": "long" }, "match": "uptime" } }, { "_embedded_ecs-sequence_to_long": { "mapping": { "type": "long" }, "match": "sequence" } }, { "_embedded_ecs-entropy_to_long": { "mapping": { "type": "long" }, "match": "*entropy" } }, { "_embedded_ecs-size_to_long": { "mapping": { "type": "long" }, "match": "*size" } }, { "_embedded_ecs-entrypoint_to_long": { "mapping": { "type": "long" }, "match": "entrypoint" } }, { "_embedded_ecs-ttl_to_long": { "mapping": { "type": "long" }, "match": "ttl" } }, { "_embedded_ecs-major_to_long": { "mapping": { "type": "long" }, "match": "major" } }, { "_embedded_ecs-minor_to_long": { "mapping": { "type": "long" }, "match": "minor" } }, { "_embedded_ecs-as_number_to_long": { "mapping": { "type": "long" }, "path_match": "*.as.number" } }, { "_embedded_ecs-pgid_to_long": { "mapping": { "type": "long" }, "match": "pgid" } }, { "_embedded_ecs-exit_code_to_long": { "mapping": { "type": "long" }, "match": "exit_code" } }, { "_embedded_ecs-chi_to_long": { "mapping": { "type": "long" }, "match": "chi2" } }, { "_embedded_ecs-args_count_to_long": { "mapping": { "type": "long" }, "match": "args_count" } }, { "_embedded_ecs-virtual_address_to_long": { "mapping": { "type": "long" }, "match": "virtual_address" } }, { "_embedded_ecs-io_text_to_wildcard": { "mapping": { "type": "wildcard" }, "path_match": "*.io.text" } }, { "_embedded_ecs-strings_to_wildcard": { "mapping": { "type": "wildcard" }, "path_match": "registry.data.strings" } }, { "_embedded_ecs-path_to_wildcard": { "mapping": { "type": "wildcard" }, "path_match": "*url.path" } }, { "_embedded_ecs-message_id_to_wildcard": { "mapping": { "type": "wildcard" }, "match": "message_id" } }, { "_embedded_ecs-command_line_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "match": "command_line" } }, { "_embedded_ecs-error_stack_trace_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "match": "stack_trace" } }, { "_embedded_ecs-http_content_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "path_match": "*.body.content" } }, { "_embedded_ecs-url_full_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "path_match": "*url.full" } }, { "_embedded_ecs-url_original_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "path_match": "*url.original" } }, { "_embedded_ecs-user_agent_original_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "path_match": "user_agent.original" } }, { "_embedded_ecs-error_message_to_match_only": { "mapping": { "type": "match_only_text" }, "path_match": "error.message" } }, { "_embedded_ecs-message_match_only_text": { "mapping": { "type": "match_only_text" }, "path_match": "message" } }, { "_embedded_ecs-event_original_non_indexed_keyword": { "mapping": { "doc_values": false, "index": false, "type": "keyword" }, "path_match": "event.original" } }, { "_embedded_ecs-agent_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "agent.name" } }, { "_embedded_ecs-service_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.service.name" } }, { "_embedded_ecs-sections_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.sections.name" } }, { "_embedded_ecs-resource_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.resource.name" } }, { "_embedded_ecs-observer_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "observer.name" } }, { "_embedded_ecs-question_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.question.name" } }, { "_embedded_ecs-group_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.group.name" } }, { "_embedded_ecs-geo_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.geo.name" } }, { "_embedded_ecs-host_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "host.name" } }, { "_embedded_ecs-severity_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.severity.name" } }, { "_embedded_ecs-title_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "match": "title" } }, { "_embedded_ecs-executable_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "match": "executable" } }, { "_embedded_ecs-file_path_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "path_match": "*.file.path" } }, { "_embedded_ecs-file_target_path_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "path_match": "*.file.target_path" } }, { "_embedded_ecs-name_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "match": "name" } }, { "_embedded_ecs-full_name_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "match": "full_name" } }, { "_embedded_ecs-os_full_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "path_match": "*.os.full" } }, { "_embedded_ecs-working_directory_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "match": "working_directory" } }, { "_embedded_ecs-timestamp_to_date": { "mapping": { "type": "date" }, "match": "timestamp" } }, { "_embedded_ecs-delivery_timestamp_to_date": { "mapping": { "type": "date" }, "match": "delivery_timestamp" } }, { "_embedded_ecs-not_after_to_date": { "mapping": { "type": "date" }, "match": "not_after" } }, { "_embedded_ecs-not_before_to_date": { "mapping": { "type": "date" }, "match": "not_before" } }, { "_embedded_ecs-accessed_to_date": { "mapping": { "type": "date" }, "match": "accessed" } }, { "_embedded_ecs-origination_timestamp_to_date": { "mapping": { "type": "date" }, "match": "origination_timestamp" } }, { "_embedded_ecs-created_to_date": { "mapping": { "type": "date" }, "match": "created" } }, { "_embedded_ecs-installed_to_date": { "mapping": { "type": "date" }, "match": "installed" } }, { "_embedded_ecs-creation_date_to_date": { "mapping": { "type": "date" }, "match": "creation_date" } }, { "_embedded_ecs-ctime_to_date": { "mapping": { "type": "date" }, "match": "ctime" } }, { "_embedded_ecs-mtime_to_date": { "mapping": { "type": "date" }, "match": "mtime" } }, { "_embedded_ecs-ingested_to_date": { "mapping": { "type": "date" }, "match": "ingested" } }, { "_embedded_ecs-start_to_date": { "mapping": { "type": "date" }, "match": "start" } }, { "_embedded_ecs-end_to_date": { "mapping": { "type": "date" }, "match": "end" } }, { "_embedded_ecs-score_base_to_float": { "mapping": { "type": "float" }, "path_match": "*.score.base" } }, { "_embedded_ecs-score_temporal_to_float": { "mapping": { "type": "float" }, "path_match": "*.score.temporal" } }, { "_embedded_ecs-score_to_float": { "mapping": { "type": "float" }, "match": "*_score" } }, { "_embedded_ecs-score_norm_to_float": { "mapping": { "type": "float" }, "match": "*_score_norm" } }, { "_embedded_ecs-usage_to_float": { "mapping": { "scaling_factor": 1000, "type": "scaled_float" }, "match": "usage" } }, { "_embedded_ecs-location_to_geo_point": { "mapping": { "type": "geo_point" }, "match": "location" } }, { "_embedded_ecs-same_as_process_to_boolean": { "mapping": { "type": "boolean" }, "match": "same_as_process" } }, { "_embedded_ecs-established_to_boolean": { "mapping": { "type": "boolean" }, "match": "established" } }, { "_embedded_ecs-resumed_to_boolean": { "mapping": { "type": "boolean" }, "match": "resumed" } }, { "_embedded_ecs-max_bytes_per_process_exceeded_to_boolean": { "mapping": { "type": "boolean" }, "match": "max_bytes_per_process_exceeded" } }, { "_embedded_ecs-interactive_to_boolean": { "mapping": { "type": "boolean" }, "match": "interactive" } }, { "_embedded_ecs-exists_to_boolean": { "mapping": { "type": "boolean" }, "match": "exists" } }, { "_embedded_ecs-trusted_to_boolean": { "mapping": { "type": "boolean" }, "match": "trusted" } }, { "_embedded_ecs-valid_to_boolean": { "mapping": { "type": "boolean" }, "match": "valid" } }, { "_embedded_ecs-go_stripped_to_boolean": { "mapping": { "type": "boolean" }, "match": "go_stripped" } }, { "_embedded_ecs-coldstart_to_boolean": { "mapping": { "type": "boolean" }, "match": "coldstart" } }, { "_embedded_ecs-exports_to_flattened": { "mapping": { "type": "flattened" }, "match": "exports" } }, { "_embedded_ecs-structured_data_to_flattened": { "mapping": { "type": "flattened" }, "match": "structured_data" } }, { "_embedded_ecs-imports_to_flattened": { "mapping": { "type": "flattened" }, "match": "*imports" } }, { "_embedded_ecs-attachments_to_nested": { "mapping": { "type": "nested" }, "match": "attachments" } }, { "_embedded_ecs-segments_to_nested": { "mapping": { "type": "nested" }, "match": "segments" } }, { "_embedded_ecs-elf_sections_to_nested": { "mapping": { "type": "nested" }, "path_match": "*.elf.sections" } }, { "_embedded_ecs-pe_sections_to_nested": { "mapping": { "type": "nested" }, "path_match": "*.pe.sections" } }, { "_embedded_ecs-macho_sections_to_nested": { "mapping": { "type": "nested" }, "path_match": "*.macho.sections" } } ] }, "ingest_pipeline.name": "default" }, "path": "access_session" } ] }