This guide provides instructions on how to integrate BI events data with Elastic. Elastic supports events push and events pull models.
Prerequisites
Ensure that you have the following:
You have a tenant configured for your organization and able to enroll users.
You have an Elastic cloud account with admin privilege
The Firewall ports should be open to allow Beyond Identity[BI] to push events to your elastic deployment. Reach out to your BI contact for the ports details
Elastic configuration
Create Elastic deployment
Install Agent, Add to fleet
Create Agent Policy / Add agent
Add HTTP Logs Integration to agent policy [Push]
Push tenant events to Elastic
Create Elastic deployment
You need an Elastic account to create a deployment and configure push or pull. You can start free by accessing https://cloud.elastic.co/registration and sign up for a 14-day trial account
Once you the account is created, click on Start your free trial
Provide a name for your deployment and click Create deployment.
After a few seconds, the deployment should be ready. Click on Continue
Install Agent, Add to Fleet
Choose the agent platform as per you choice for example a host running in AWS EC2. Once the agent is successfully installed, the custom agent enrollment will display “agent has been enrolled”
You will be able to see the agent listed under Fleet, under Elastic web console > Management > Fleet
Create Agent Policy / Add agent
Agents are added to an agent policy and then integrations are attached to the policy. A policy is a collection of inputs and settings that defines the data to be collected by an Elastic Agent. Each Elastic Agent can only be enrolled in a single policy.
Within an Elastic Agent policy is a set of individual integration policies. These integration policies define the settings for each input type. The available settings in an integration depend on the version of the integration in use.
custom HTTP Endpoint Log integration is used for setting up a HTTP listener to post BI data events.
custom HTTPJSON input integration is used to ingest data from BI tenant events API endpoint [https://dataexport-public.byndid.com/v1/events?ordering=desc] to pull data.
Navigate to Fleet under Management, and choose Agent Policies Tab. Click on create agent policy
Provide a name for the agent policy, for example “Agent Policy 1”. Uncheck Collect system logs and metrics. Under Advanced option, uncheck collect agent logs and collect agent metrics. Click Create agent policy.
Add HTTP Logs Integration to agent policy [Push]
Navigate to Management > Fleet. Click on Agent policies.
Click on Add integrations
Type HTTP in the search box. In the search results, click custom HTTP Endpoint Logs
Click Add Custom HTTP Endpoint Logs
Enter 0.0.0.0 for the Listen Address and a value for the listen port, for example 8787. Please note this port must be opened to Beyond Identity to post events. Leave the other settings to defaults. Under Where to add this integration?, choose the agent policy created in the section above Agent Policy 1”.
Beyond Identity Configuration
The configuration is done using the BI admin console. Access BI admin console through your SSO integration. Click on Integrations and click on SIEM. Click on Add SIEM Integration
Choose Elastic from the drop down.
Provide a name for the configuration. From the events drop down, select all events or one the events you are interested in. Click on Save Changes
Once SIEM configuration is complete in BI admin console, you will be able to see the events in your Elastic. You can verify with a log search in Elastic, for example…
Verification in Elastic
Access your Elastic URL
Select “Discover” under “Analytics”
Choose logs-http_endpoint.generic-default
Enter json.eventData.user.user_name: USER_WHO_AUTHENTICATED_USING_BI in the query box. Select the event in the results and click JSON on the right.
Appendix B
How to get event types?
Click on https://developer.beyondidentity.com/api/v0#tag/Events/operation/getEvents
Scroll down
Click on arrow next to 200
Click on body
Click on events
Scroll down
event_type lists all the events