This guide provides instructions on how to:
- Integrate BI events data with Elastic. Elastic supports events push and events pull models
Ensure that you have the following:
- You have a tenant configured for your organization and able to enroll users.
- You have an Elastic cloud account with admin privilege
- The Firewall ports should be open to allow Beyond Identity[BI] to push events to your elastic deployment. Reach out to your BI contact for the ports details
- Create Elastic deployment
- Install Agent, Add to fleet
- Create Agent Policy / Add agent
- Add HTTP Logs Integration to agent policy [Push]
- Push tenant events to Elastic
Create Elastic deployment
You need an Elastic account to create a deployment and configure push or pull. You can start free by accessing https://cloud.elastic.co/registration and sign up for a 14-day trial account
Once you the account is created, click on “Start your free trial”
Provide a Name for your deployment and click “Create deployment”.
After a few seconds, the deployment should be ready. Click on “Continue”
Install Agent, Add to Fleet
Choose the agent platform as per you choice for example a host running in AWS EC2. Once the agent is successfully installed, the custom agent enrollment will display “agent has been enrolled”
You will be able to see the agent listed under Fleet, under Elastic web console=>Management=>Fleet
Create Agent Policy / Add agent
Agents are added to an agent policy and then integrations are attached to the policy. A policy is a collection of inputs and settings that defines the data to be collected by an Elastic Agent. Each Elastic Agent can only be enrolled in a single policy.
Within an Elastic Agent policy is a set of individual integration policies. These integration policies define the settings for each input type. The available settings in an integration depend on the version of the integration in use.
custom HTTP Endpoint Log integration is used for setting up a HTTP listener to post BI data events.
custom HTTPJSON input integration is used to ingest data from BI tenant events API endpoint[https://dataexport-public.byndid.com/v1/events?ordering=desc] to pull data.
Navigate to Fleet under Management, and choose “Agent Policies” Tab. Click on “create agent policy”
Provide a name for the agent policy, for example “Agent Policy 1”. Uncheck “Collect system logs and metrics”. Under “Advanced option”, uncheck “collect agent logs” and “collect agent metrics”. Click “Create agent policy”
Add HTTP Logs Integration to agent policy [Push]
Navigate to Management=>Fleet. Click on “Agent policies”.
Click on “Add integrations”
Type “HTTP” in the search box. In the search results, click “custom HTTP Endpoint Logs”
Click “Add Custom HTTP Endpoint Logs”
Enter “0.0.0.0” for the Listen Address and a value for the listen port, for example 8787. Please note this port must be opened to Beyond Identity to post events. Leave the other settings to defaults. Under “Where to add this integration?”, choose the agent policy created in the section above “Agent Policy 1”
Beyond Identity Configuration
The configuration is done using the BI admin console. Access BI admin console through your SSO integration. Click on “Integrations” and click on “SIEM”. Click on “Add SIEM Integration”
Choose “Elastic” from the drop down.
Provide a name for the configuration. From the events drop down, “select all” events or one the events you are interested in. Click on “Save Changes”
Once SIEM configuration is complete in BI admin console, you will be able to see the events in your Elastic. You can verify with a log search in Elastic, for example
Verification in Elastic
- Access your Elastic URL
- Select “Discover” under “Analytics”
Enter “json.eventData.user.user_name: USER_WHO_AUTHENTICATED_USING_BI“ in the query box. Select the event in the results and click “JSON” on the right.
How to get event types?
Click on https://developer.beyondidentity.com/api/v0#tag/Events/operation/getEvents
Click on arrow next to 200
Click on body
Click on events
event_type lists all the events
Please sign in to leave a comment.