View Source

Introduction

The tags beginning with vuln.beyondtrust identify events generated by BeyondTrust vulnerability management.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as vuln.beyondtrust. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables
Beyond Trust vulnerability management	`vuln.beyondtrust.appaudit`	`vuln.beyondtrust.appaudit`
	`vuln.beyondtrust.appaudit.csv`	`vuln.beyondtrust.appaudit`
	`vuln.beyondtrust.pbps`	`vuln.beyondtrust.pbps`
	`vuln.beyondtrust.pbps.csv`	`vuln.beyondtrust.pbps`
	`vuln.beyondtrust.retina`	`vuln.beyondtrust.retina`

For more information, read more About Devo tags.

Send it

Data should be sent using the relay.

In BeyondTrust solutions, you can set up a connector that enables syslog event forwarding. The events should be directed to a Devo relay where a relay rule applies the correct tag, then forwards the events securely to your Devo domain.

For information about setting up syslog event forwarding, see the BeyondInsight and Password Safe Third-Party Integration Guide.

Example relay rules

         Source message: 
            Source data: Agent ID: ([^ ]+)
             Source tag: 
             Target tag: vuln.beyondtrust.\\D1
Sent without syslog tag: false
        Stop processing: true

Table structure

These are the fields displayed in these tables:

vuln.beyondtrust.appaudit
vuln.beyondtrust.pbps
vuln.beyondtrust.retina

vuln.beyondtrust.applaudit

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

agent_desc

str

agent_id

str

agent_ver

str

category

str

source_host

str

event_desc

str

event_name

str

os

str

event_severity

int4

source_ip

ip4

event_subject

str

event_type

str

user

str

workgroup_desc

str

workgroup_id

str

workgroup_location

str

audit_id

int8

action_type

str

system_name

str

app_user_id

int4

create_date

timestamp

parsedate(mycreatedate, "M/DD/YYYY h:mm:ss A")

mycreatedate

ip_address

ip4

user_name2

str

groupp

str

auth_type

str

domain_name

str

sam_account_name

str

source

str

message

str

address_group_name

str

id

int4

smart_rule_name

str

report_name

str

asset_name

str

unknown

str

rawMessage

str

hostchain

str

✓

tag

str

✓

vuln.beyondtrust.pbps

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

split(hostchain, "=", 0)

hostchain

agent_desc

str

agent_id

str

agent_ver

str

category

str

source_host

str

event_desc

str

event_name

str

os

str

event_severity

int4

source_ip

ip4

event_subject

str

event_type

str

user

str

workgroup_desc

str

workgroup_id

str

workgroup_location

str

log_system_id

int8

log_time

str

user_name

str

role_used

str

object_type_id

int4

parsedate(mycreatedate, "M/DD/YYYY h:mm:ss A")

mycreatedate

object_type

str

object_id

int4

operation

str

failed

str

target

str

details

str

user_id

int4

time_stamp

str

ip_address

ip4

unknown

str

rawMessage

str

hostchain

str

✓

tag

str

✓

vuln.beyondtrust.retina

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

split(hostchain, "=", 0)

hostchain

agent_desc

str

agent_id

str

agent_ver

str

category

str

source_host

str

event_desc

str

event_name

str

os

str

event_severity

int4

source_ip

ip4

event_subject

str

event_type

str

user

str

workgroup_desc

str

workgroup_id

str

workgroup_location

str

company_name

str

description

str

filename

str

md5

str

signer

str

parsedate(mycreatedate, "M/DD/YYYY h:mm:ss A")

mycreatedate

version

str

product_name

str

author

str

idle_time

str

last_result

str

logon_mode

str

power_management

str

run_as_user

str

volume_name

str

stop_task_hours

str

task_name

str

task_to_run

str

startup_type

str

disable_auditing

str

disable_auditing_01

str

rth_id

int4

detected_protocol

str

port_state

str

port_type

str

response_type

str

wb_checked

str

wb_text

str

wb_context

str

cpe

str

product

str

image_path

str

detected_protocol_01

str

trim(mydetected_protocol)

mydetected_protocol

port_state_01

str

port_type_01

str

version_01

str

response_type_01

str

free_vir_mem_01

str

drive_desc_01

str

sys_model_01

str

member_count_01

str

sid_01

str

bad_pw_count_01

str

enum_src_01

str

asset_name_01

str

dns_server

ip4

dhcp_name_server

ip4

destination

ip4

dcal

str

dependencies

str

state

str

alias

str

antispy_sig_last_update

str

attributes

str

dist_name_0

str

registry_value

str

dns_name_01

ip4

prin_group_id

str

base_address

str

folder_path

str

rth_ids_0

str

rth_ids_1

str

rth_ids_2

str

rth_ids_3

str

rth_ids_4

str

rth_ids_5

str

rth_ids_6

str

rth_ids_7

str

rth_ids_8

str

rth_ids_9

str

rth_ids_10

str

rth_ids_11

str

rth_ids_12

str

rth_ids_13

str

unknown

str

rawMessage

str

hostchain

str

✓

tag

str

✓

Introduction

Valid tags and data tables

Send it

Example relay rules

Table structure

vuln.beyondtrust.applaudit

vuln.beyondtrust.pbps

vuln.beyondtrust.retina

Related articles