Document toolbox

vuln.beyondtrust

Owned by Juan Tomás Alonso Nieto (Deactivated)

Last updated: Feb 29, 2024

2 min read

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How is data sent to Devo? ] [ 4 Set up the Devo relay rule ] [ 5 Table structure ]

Introduction

The tags beginning with vuln.beyondtrust identify events generated by BeyondTrust vulnerability management.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as vuln.beyondtrust. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Beyond Trust vulnerability management	`vuln.beyondtrust.appaudit`	`vuln.beyondtrust.appaudit`
	`vuln.beyondtrust.appaudit.csv`	`vuln.beyondtrust.appaudit`
	`vuln.beyondtrust.pbps`	`vuln.beyondtrust.pbps`
	`vuln.beyondtrust.pbps.csv`	`vuln.beyondtrust.pbps`
	`vuln.beyondtrust.retina`	`vuln.beyondtrust.retina`

For more information, read more About Devo tags.

How is data sent to Devo?

In BeyondTrust solutions, you can set up a connector that enables syslog event forwarding. The events should be directed to a Devo relay where a relay rule applies the correct tag, then forwards the events securely to your Devo domain.

For information about setting up syslog event forwarding, see the BeyondInsight and Password Safe Third-Party Integration Guide.

Set up the Devo relay rule

You will need to set up just one rule that can correctly identify the event type and apply the correct Devo tag. These will be type-4 rules that apply a dynamic tag based upon specific data contained in the inbound event.

In this example we're using port 13007, but you should use the port on your relay that you specified when you set up the remote syslog server in BeyondTrust.

Source port → 13007
Source data → Agent ID: ([^ ]+)
Target tag → vuln.beyondtrust.\\D1
Select the Stop processing checkbox

Click Add rule.

Within a few minutes, the new tables should appear in your Finder.

Table structure

These are the fields displayed in these tables:

vuln.beyondtrust.appaudit
vuln.beyondtrust.pbps
vuln.beyondtrust.retina

vuln.beyondtrust.applaudit

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
host	`str`
agent_desc	`str`
agent_id	`str`
agent_ver	`str`
category	`str`
source_host	`str`
event_desc	`str`
event_name	`str`
os	`str`
event_severity	`int4`
source_ip	`ip4`
event_subject	`str`
event_type	`str`
user	`str`
workgroup_desc	`str`
workgroup_id	`str`
workgroup_location	`str`
audit_id	`int8`
action_type	`str`
system_name	`str`
app_user_id	`int4`
create_date	`timestamp`	`parsedate(mycreatedate, "M/DD/YYYY h:mm:ss A")`	mycreatedate
ip_address	`ip4`
user_name2	`str`
groupp	`str`
auth_type	`str`
domain_name	`str`
sam_account_name	`str`
source	`str`
message	`str`
address_group_name	`str`
id	`int4`
smart_rule_name	`str`
report_name	`str`
asset_name	`str`
unknown	`str`
rawMessage	`str`
hostchain	`str`			✓
tag	`str`			✓

vuln.beyondtrust.pbps

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
host	`str`	`split(hostchain, "=", 0)`	hostchain
agent_desc	`str`
agent_id	`str`
agent_ver	`str`
category	`str`
source_host	`str`
event_desc	`str`
event_name	`str`
os	`str`
event_severity	`int4`
source_ip	`ip4`
event_subject	`str`
event_type	`str`
user	`str`
workgroup_desc	`str`
workgroup_id	`str`
workgroup_location	`str`
log_system_id	`int8`
log_time	`str`
user_name	`str`
role_used	`str`
object_type_id	`int4`	`parsedate(mycreatedate, "M/DD/YYYY h:mm:ss A")`	mycreatedate
object_type	`str`
object_id	`int4`
operation	`str`
failed	`str`
target	`str`
details	`str`
user_id	`int4`
time_stamp	`str`
ip_address	`ip4`
unknown	`str`
rawMessage	`str`
hostchain	`str`			✓
tag	`str`			✓

vuln.beyondtrust.retina

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
host	`str`		hostchain
agent_desc	`str`
agent_id	`str`
agent_ver	`str`
category	`str`
source_host	`str`
event_desc	`str`
event_name	`str`
os	`str`
event_severity	`int4`
source_ip	`ip4`
event_subject	`str`
event_type	`str`
user	`str`
workgroup_desc	`str`
workgroup_id	`str`
workgroup_location	`str`
company_name	`str`
description	`str`
filename	`str`
md5	`str`
signer	`str`		mycreatedate
version	`str`
product_name	`str`
author	`str`
idle_time	`str`
last_result	`str`
logon_mode	`str`
power_management	`str`
run_as_user	`str`
volume_name	`str`
stop_task_hours	`str`
task_name	`str`
task_to_run	`str`
startup_type	`str`
disable_auditing	`str`
disable_auditing_01	`str`
rth_id	`int4`
detected_protocol	`str`
port_state	`str`
port_type	`str`
response_type	`str`
wb_checked	`str`
wb_text	`str`
wb_context	`str`
cpe	`str`
product	`str`
image_path	`str`
detected_protocol_01	`str`		mydetected_protocol
port_state_01	`str`
port_type_01	`str`
version_01	`str`
response_type_01	`str`
free_vir_mem_01	`str`
drive_desc_01	`str`
sys_model_01	`str`
member_count_01	`str`
sid_01	`str`
bad_pw_count_01	`str`
enum_src_01	`str`
asset_name_01	`str`
dns_server	`ip4`
dhcp_name_server	`ip4`
destination	`ip4`
dcal	`str`
dependencies	`str`
state	`str`
alias	`str`
antispy_sig_last_update	`str`
attributes	`str`
dist_name_0	`str`
registry_value	`str`
dns_name_01	`ip4`
prin_group_id	`str`
base_address	`str`
folder_path	`str`
rth_ids_0	`str`
rth_ids_1	`str`
rth_ids_2	`str`
rth_ids_3	`str`
rth_ids_4	`str`
rth_ids_5	`str`
rth_ids_6	`str`
rth_ids_7	`str`
rth_ids_8	`str`
rth_ids_9	`str`
rth_ids_10	`str`
rth_ids_11	`str`
rth_ids_12	`str`
rth_ids_13	`str`
unknown	`str`
rawMessage	`str`
hostchain	`str`			✓
tag	`str`			✓

Related articles