diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 4cc5f06baead8..f6a496e2857f1 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -748,6 +748,11 @@ plaid/assets/logs/ @DataDog/saa /cato_networks/manifest.json @DataDog/saas-integrations @DataDog/documentation /cato_networks/assets/logs/ @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-integrations-reviewers +/beyondtrust_privileged_remote_access/ @DataDog/agent-integrations +/beyondtrust_privileged_remote_access/*.md @DataDog/agent-integrations @DataDog/documentation +/beyondtrust_privileged_remote_access/manifest.json @DataDog/agent-integrations @DataDog/documentation +/beyondtrust_privileged_remote_access/assets/logs/ @DataDog/agent-integrations @DataDog/documentation @DataDog/logs-integrations-reviewers + /cisco_asa/ @DataDog/agent-integrations /cisco_asa/*.md @DataDog/agent-integrations @DataDog/documentation /cisco_asa/manifest.json @DataDog/agent-integrations @DataDog/documentation diff --git a/.github/workflows/config/labeler.yml b/.github/workflows/config/labeler.yml index c68170d5a7b54..9e39a5d8ec1d9 100644 --- a/.github/workflows/config/labeler.yml +++ b/.github/workflows/config/labeler.yml @@ -97,6 +97,8 @@ integration/beyondtrust_identity_security_insights: - beyondtrust_identity_security_insights/**/* integration/beyondtrust_password_safe: - beyondtrust_password_safe/**/* +integration/beyondtrust_privileged_remote_access: +- beyondtrust_privileged_remote_access/**/* integration/bitdefender: - bitdefender/**/* integration/bitwarden: diff --git a/beyondtrust_privileged_remote_access/CHANGELOG.md b/beyondtrust_privileged_remote_access/CHANGELOG.md new file mode 100644 index 0000000000000..50fa2e61dc11f --- /dev/null +++ b/beyondtrust_privileged_remote_access/CHANGELOG.md @@ -0,0 +1,4 @@ +# CHANGELOG - beyondtrust_privileged_remote_access + + + diff --git a/beyondtrust_privileged_remote_access/README.md b/beyondtrust_privileged_remote_access/README.md new file mode 100644 index 0000000000000..201cebf82a77a --- /dev/null +++ b/beyondtrust_privileged_remote_access/README.md @@ -0,0 +1,216 @@ +## Overview + +[BeyondTrust Privileged Remote Access][3] securely manages and controls remote access to critical systems for privileged users, such as administrators, IT personnel, and third-party vendors. + +Integrate BeyondTrust Privileged Remote Access with Datadog to gain insights into BeyondTrust Privileged Remote Access logs using pre-built dashboard visualizations. Datadog uses its built-in log pipelines to parse and enrich these logs, facilitating easy search and detailed insights. The integration can also be used for Cloud SIEM detection rules for enhanced monitoring and security. + +**Minimum Agent version:** 7.77.0 + +## Setup + +### Prerequisites +- `rsyslog` (version 8.2302 or higher) with valid TLS certificates present on the server. + +### Configuration + +#### Configure File Rotation Script + +1. Create the script file. + ```shell + sudo mkdir -p /etc/rsyslog.d/scripts + sudo vi /etc/rsyslog.d/scripts/file_rotate.sh + ``` + +2. Add the following content to the script: + ```shell + #!/bin/bash + + LOGFILE="/var/log/rsyslog_logs/beyondtrust_pra.log" + + last_line=$(tail -n 1 "$LOGFILE") + + num1=$(echo "$last_line" | grep -oE '[0-9]+:[0-9]+:[0-9]+' | tail -n 1 | cut -d: -f2) + num1=$(printf "%d" "$num1") + LAST_LINES=$(tail -n "$num1" "$LOGFILE") + + # Capture permissions, owner, group + PERMS=$(stat -c "%a" "$LOGFILE") + OWNER=$(stat -c "%U" "$LOGFILE") + GROUP=$(stat -c "%G" "$LOGFILE") + + # Remove the original file + rm -f "$LOGFILE" + + # Recreate file with same permissions + touch "$LOGFILE" + chmod "$PERMS" "$LOGFILE" + chown "$OWNER:$GROUP" "$LOGFILE" + + # Write back the last lines + printf "%s\n" "$LAST_LINES" > "$LOGFILE" + ``` + +3. Set Ownership and Permissions for Scripts + ```shell + sudo chown -R syslog:syslog /etc/rsyslog.d/scripts + sudo chmod 777 /etc/rsyslog.d/scripts + sudo chmod 500 /etc/rsyslog.d/scripts/file_rotate.sh + ``` + +#### Certificate Directory Setup + +Store the TLS certificates in the directory using the file names mentioned in the table below. These files will be referenced directly in the rsyslog configuration. + +```shell +sudo mkdir -p /etc/rsyslog.d/certs +``` + +| Filename | Description | +|----------------|--------------------------------------------------------------------------------------| +| rootCA.pem | Certificate authority (CA) certificate that signed the rsyslog server certificate. | +| fullchain.pem | rsyslog server certificate along with any required intermediate certificates. | +| server.key | Private key corresponding to the rsyslog server certificate | + +Set ownership and permissions so that the syslog user can access the certificates. + +```shell +sudo chown -R syslog:syslog /etc/rsyslog.d/certs +sudo chmod -R 500 /etc/rsyslog.d/certs +``` + +#### Configure rsyslog +1. Open the main configuration file. + ```shell + sudo vi /etc/rsyslog.conf + ``` +2. Add the following TLS settings to receive BeyondTrust PRA logs: + Replace the ``, ``, and `` with actual values. + ```shell + module(load="imfile") + + $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + $FileCreateMode 0640 + $DirCreateMode 0550 + $Umask 0022 + + $MaxMessageSize 64k + $IncludeConfig /etc/rsyslog.d/*.conf + + global( + DefaultNetstreamDriver="gtls" + DefaultNetstreamDriverCAFile="/etc/rsyslog.d/certs/rootCA.pem" + DefaultNetstreamDriverCertFile="/etc/rsyslog.d/certs/fullchain.pem" + DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/certs/server.key" + ) + + module( + load="imtcp" + StreamDriver.Name="gtls" + StreamDriver.Mode="1" + StreamDriver.Authmode="anon" + ) + + input( + type="imtcp" + port="" + ruleset="write_to_file" + ) + + input( + type="imfile" + File="/var/log/rsyslog_logs/beyondtrust_pra.log" + readTimeout="30" + startmsg.regex="(<[0-9]+>)?[A-Za-z]{3}[[:space:]]+[0-9]{1,2}[[:space:]]+[0-9]{2}:[0-9]{2}:[0-9]{2}[[:space:]]+[^[:space:]]+[[:space:]]+[A-Z]+\\[[0-9]+\\][[:space:]]+[0-9]+:01.*" + ruleset="forward_merged" + Tag="agg:" + Facility="local0" + ) + + ruleset(name="write_to_file") { + action( + type="omfile" + file="/var/log/rsyslog_logs/beyondtrust_pra.log" + createDirs="on" + rotation.sizeLimit="50000000" # 50 MB + rotation.sizeLimitCommand="/etc/rsyslog.d/scripts/file_rotate.sh" + ) + } + + template(name="log_message" type="string" string="%msg%\n") + ruleset(name="forward_merged") { + action(type="omfwd" target="" port="" protocol="tcp" template="log_message") + } + ``` +3. Restart the rsyslog server + ```shell + sudo systemctl restart rsyslog + ``` + +#### Log Collection +1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file with: + + ```yaml + logs_enabled: true + ``` + +2. Add this configuration block to your `beyondtrust_privileged_remote_access.d/conf.yaml` file to start collecting your BeyondTrust Privileged Remote Access logs: + + ```yaml + logs: + - type: tcp + port: + source: beyondtrust-privileged-remote-access + service: beyondtrust-privileged-remote-access + log_processing_rules: + - type: include_at_match + name: include_pra_logs + pattern: 'BG' + - type: mask_sequences + name: remove_subsequent_segment_headers + replace_placeholder: "" + pattern: '\\n(<\d+>)?\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+\w+\s+[A-Z]+\[\d+\]\s+\d+:([0-9])?[2-9]+:\d+:' + ``` + See the sample configuration file ([beyondtrust_privileged_remote_access.d/conf.yaml][5]) for available options. + + **Note**: Do not change the `source` and `service` values, as these parameters are integral to the pipeline's operation. + +3. [Restart the Agent][2]. + +### Configure syslog message forwarding from BeyondTrust Privileged Remote Access +1. Sign in to the [**BeyondTrust B Series Appliance**][6]. +2. From the top navigation menu, go to **Security > Appliance Administration**. +3. Enter the following details for the syslog configuration: + - **Remote Syslog Server:** Enter the IP address or hostname of the rsyslog server. + - **Message Format:** Select **Syslog over TLS (RFC 5425)**. + - **Port:** Specify the port number on which the rsyslog server is listening. + - **Trusted Certificate:** Upload the `rootCA.pem` certificate, which is used to secure the TLS connection to the rsyslog server. +4. Click **Submit**. + +### Validation + +[Run the Agent's status subcommand][4] and look for `beyondtrust-privileged-remote-access` under the Logs Agent section. + +## Data Collected + +### Logs + +The BeyondTrust Privileged Remote Access integration collects `Authentication & Authorization`, `User & Account Management`, `Group & Policy Management`, `Jumpoint & Remote Access Management`, `Network Configuration`, `Cryptography & Secrets Protection`, `Reporting & Compliance Evidence`, and `API & Integration Management` logs. + +### Metrics + +The BeyondTrust Privileged Remote Access does not include any metrics. + +### Events + +The BeyondTrust Privileged Remote Access integration does not include any events. + +## Troubleshooting + +Need help? Contact [Datadog support][1]. + +[1]: https://docs.datadoghq.com/help/ +[2]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent +[3]: https://www.beyondtrust.com/products/privileged-remote-access +[4]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information +[5]: https://github.com/DataDog/integrations-core/blob/master/beyondtrust_privileged_remote_access/datadog_checks/beyondtrust_privileged_remote_access/data/conf.yaml.example +[6]: https://app.beyondtrust.io/pra/login/appliance diff --git a/beyondtrust_privileged_remote_access/assets/beyondtrust_privileged_remote_access.svg b/beyondtrust_privileged_remote_access/assets/beyondtrust_privileged_remote_access.svg new file mode 100644 index 0000000000000..eb229220d8a57 --- /dev/null +++ b/beyondtrust_privileged_remote_access/assets/beyondtrust_privileged_remote_access.svg @@ -0,0 +1,201 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/beyondtrust_privileged_remote_access/assets/configuration/spec.yaml b/beyondtrust_privileged_remote_access/assets/configuration/spec.yaml new file mode 100644 index 0000000000000..dfb98727bb3eb --- /dev/null +++ b/beyondtrust_privileged_remote_access/assets/configuration/spec.yaml @@ -0,0 +1,18 @@ +name: beyondtrust_privileged_remote_access +files: +- name: beyondtrust_privileged_remote_access.yaml + options: + - template: logs + example: + - type: tcp + port: + source: beyondtrust-privileged-remote-access + service: beyondtrust-privileged-remote-access + log_processing_rules: + - type: include_at_match + name: include_pra_logs + pattern: 'BG' + - type: mask_sequences + name: remove_subsequent_segment_headers + replace_placeholder: "" + pattern: '\\n(<\d+>)?\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+\w+\s+[A-Z]+\[\d+\]\s+\d+:([0-9])?[2-9]+:\d+:' diff --git a/beyondtrust_privileged_remote_access/assets/dashboards/beyondtrust_pra_authentication_and_access_management.json b/beyondtrust_privileged_remote_access/assets/dashboards/beyondtrust_pra_authentication_and_access_management.json new file mode 100644 index 0000000000000..5c0f37e1796b4 --- /dev/null +++ b/beyondtrust_privileged_remote_access/assets/dashboards/beyondtrust_pra_authentication_and_access_management.json @@ -0,0 +1,3922 @@ +{ + "title": "BeyondTrust PRA Authentication and Access Management", + "description": "This dashboard provides comprehensive insights into authentication successes/failures, user identity modifications, admin resets, and credential enrollment/removal events. It's designed to help security teams identify risky access patterns, account misuse, and compromised credentials.", + "widgets": [ + { + "id": 338984076648447, + "definition": { + "type": "image", + "url": "https://assets.beyondtrust.com/assets/images/products/icons/pra-icon.svg", + "url_dark_theme": "https://assets.beyondtrust.com/assets/images/products/icons/pra-icon.svg", + "sizing": "contain", + "margin": "md", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 2063743201609514, + "definition": { + "type": "note", + "content": "This dashboard provides comprehensive insights into authentication successes/failures, user identity modifications, admin resets, and credential enrollment/removal events. It's designed to help security teams identify risky access patterns, account misuse, and compromised credentials.\n\nFor more information, see the [BeyondTrust Privileged Remote Access Integration Documentation](https://docs.datadoghq.com/integrations/beyondtrust_privileged_remote_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "white", + "font_size": "16", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 4337951712908630, + "definition": { + "title": "Overview", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3567205875777283, + "definition": { + "type": "note", + "content": "A quick summary of login attempts, password changes, admin resets, and credential additions/removals. Helps security teams spot risky access, account misuse, and compromised credentials.", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 115677551160526, + "definition": { + "title": "Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(identity-access OR authorization-and-policy-control OR cryptography-and-secrets-protection) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 7733185911435276, + "definition": { + "title": "Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(identity-access OR authorization-and-policy-control OR cryptography-and-secrets-protection) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 1986483896586857, + "definition": { + "title": "Top event types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(identity-access OR authorization-and-policy-control OR cryptography-and-secrets-protection) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 2037782509083121, + "definition": { + "title": "Top users", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(identity-access OR authorization-and-policy-control OR cryptography-and-secrets-protection) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@usr.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ] + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 4003363110110147, + "definition": { + "title": "Geo-distribution of source IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(identity-access OR authorization-and-policy-control OR cryptography-and-secrets-protection) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 5 + } + }, + { + "id": 3774596723072455, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:(identity-access OR authorization-and-policy-control OR cryptography-and-secrets-protection) $event_name $user_name $source_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 18 + } + }, + { + "id": 737696249000492, + "definition": { + "title": "Identity Access Insights", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7001402716373414, + "definition": { + "type": "note", + "content": "A quick view of login and credential activities. It shows login attempts and failures, password and username changes, admin factory resets, FIDO2 credential activities, who performed the actions, trends over time, and detailed logs for deeper review.", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 4263946066032225, + "definition": { + "title": "Login activities", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:login $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 8777686232809885, + "definition": { + "title": "Login activities over time by status", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:login $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@status" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 1652235475159166, + "definition": { + "title": "Top login failure reasons", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:login @status:failure $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@reason" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 3 + } + }, + { + "id": 1113261892768238, + "definition": { + "title": "Top login targets", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:login $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@target" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "style": { + "display": { + "type": "stacked" + } + } + }, + "layout": { + "x": 3, + "y": 4, + "width": 6, + "height": 3 + } + }, + { + "id": 343298034538309, + "definition": { + "title": "Top users with failed login attempts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:login @status:failure $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@usr.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 4, + "width": 3, + "height": 3 + } + }, + { + "id": 3140476544950775, + "definition": { + "title": "Top IPs with failed login attempts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:login @status:failure $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 3, + "height": 3 + } + }, + { + "id": 103330969557391, + "definition": { + "title": "Password changes", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:change_password $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 3, + "y": 7, + "width": 3, + "height": 3 + } + }, + { + "id": 4833710174207472, + "definition": { + "title": "Credential change over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:(change_password OR change_username) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@evt.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 3 + } + }, + { + "id": 1069716233029957, + "definition": { + "title": "Top users by credential change", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:(change_password OR change_username) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@usr.name", + "@evt.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 3, + "height": 3 + } + }, + { + "id": 3931705206161214, + "definition": { + "title": "Credential change details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:(change_password OR change_username) $user_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 3, + "y": 10, + "width": 9, + "height": 3 + } + }, + { + "id": 6316585434284052, + "definition": { + "title": "Total factory password reset", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:admin_password_reset_to_factory_default $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 13, + "width": 3, + "height": 3 + } + }, + { + "id": 4041017702637496, + "definition": { + "title": "Factory password reset over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:admin_password_reset_to_factory_default $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 13, + "width": 9, + "height": 3 + } + }, + { + "id": 8223200741481249, + "definition": { + "title": "Factory reset details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:admin_password_reset_to_factory_default $user_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 3 + } + }, + { + "id": 4938183861521697, + "definition": { + "title": "FIDO2 credential management activities", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:(fido2_credential_added OR fido2_credential_changed OR fido2_credential_removed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 19, + "width": 3, + "height": 3 + } + }, + { + "id": 8980816201428736, + "definition": { + "title": "FIDO2 credentials activities over time by type", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:(fido2_credential_added OR fido2_credential_changed OR fido2_credential_removed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@evt.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 19, + "width": 9, + "height": 3 + } + }, + { + "id": 4679254533572715, + "definition": { + "title": "FIDO2 roaming vs non-roaming credentials", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:fido2_credential_added $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@roaming_value" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 22, + "width": 6, + "height": 3 + } + }, + { + "id": 5283605013551378, + "definition": { + "title": "FIDO2 credential activities by type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:identity-access @evt.name:(fido2_credential_added OR fido2_credential_changed OR fido2_credential_removed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@evt.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 22, + "width": 6, + "height": 3 + } + }, + { + "id": 2475429021281773, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:identity-access $user_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 25, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 21, + "width": 12, + "height": 30 + } + }, + { + "id": 6078865748409043, + "definition": { + "title": "Authorization & Policy Control", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1989244975014561, + "definition": { + "type": "note", + "content": "A quick view of group and session policy activities. It shows when policies are added, changed, or removed, membership changes, top users and security providers involved, session policy assignments, privacy settings, trends over time, and detailed logs for complete visibility.", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 4270935987270568, + "definition": { + "title": "Group policy activities", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:(group_policy_added OR group_policy_changed OR group_policy_removed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 3276357101660657, + "definition": { + "title": "Group policy activities over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:(group_policy_added OR group_policy_changed OR group_policy_removed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@evt.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 2429920694682801, + "definition": { + "title": "Group policy added priority distribution", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:group_policy_added $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@priority" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ] + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 3 + } + }, + { + "id": 6322871190825667, + "definition": { + "title": "Top users by policy activities", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:(group_policy_added OR group_policy_changed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@usr.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ] + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 3 + } + }, + { + "id": 7287688371922205, + "definition": { + "title": "Group policy add & remove events", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:(group_policy_added OR group_policy_removed) $user_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "account_status_value", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 3 + } + }, + { + "id": 1037869680986845, + "definition": { + "title": "Group policy membership changes over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:(group_policy_member_added OR group_policy_member_removed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@evt.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 10, + "width": 7, + "height": 3 + } + }, + { + "id": 7433007336246250, + "definition": { + "title": "Members added vs removed distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:(group_policy_member_added OR group_policy_member_removed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@evt.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "inline" + } + }, + "layout": { + "x": 7, + "y": 10, + "width": 5, + "height": 3 + } + }, + { + "id": 1031208291436452, + "definition": { + "title": "Session policy lifecycle timeline", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:(session_policy_added OR session_policy_changed OR session_policy_removed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@evt.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 13, + "width": 7, + "height": 3 + } + }, + { + "id": 1929817558794874, + "definition": { + "title": "Session policy privacy screen enabled vs disabled", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:(session_policy_added OR session_policy_removed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@automatic_privacy_screen_value" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "inline" + } + }, + "layout": { + "x": 7, + "y": 13, + "width": 5, + "height": 3 + } + }, + { + "id": 1297393291181040, + "definition": { + "title": "Session policy actions distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:(session_policy_added OR session_policy_changed OR session_policy_removed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@evt.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "inline" + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 3, + "height": 3 + } + }, + { + "id": 6373109040532374, + "definition": { + "title": "Session policy event details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:(session_policy_added OR session_policy_changed OR session_policy_removed) $user_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 3, + "y": 16, + "width": 9, + "height": 3 + } + }, + { + "id": 2316469746045820, + "definition": { + "title": "Total user session policies added", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:user_session_policy_added $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 19, + "width": 3, + "height": 3 + } + }, + { + "id": 514270093633734, + "definition": { + "title": "Total user session policies removed", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:user_session_policy_removed $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 3, + "y": 19, + "width": 3, + "height": 3 + } + }, + { + "id": 3420220925843535, + "definition": { + "title": "User session policy activities over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control @evt.name:(user_session_policy_added OR user_session_policy_removed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@evt.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 19, + "width": 6, + "height": 3 + } + }, + { + "id": 7555460804157262, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:authorization-and-policy-control $user_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 22, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 51, + "width": 12, + "height": 27, + "is_column_break": true + } + }, + { + "id": 6872225341056865, + "definition": { + "title": "Cryptography & Secrets Protection", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2286291957859730, + "definition": { + "type": "note", + "content": "A quick view of certificate, keytab, and vault activities. It shows certificate exports, kerberos keytab additions/removals, vault password rotations, who performed these actions, trends over time, success/failure details, and full logs for complete audit and review.", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 4917901549889077, + "definition": { + "title": "Certificate exports", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:certificate_export $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 6295938209527803, + "definition": { + "title": "Certificate exports over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:certificate_export $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 4899406174357852, + "definition": { + "title": "Private key export included vs excluded", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:certificate_export $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@exported_with_private_key_value" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 9, + "height": 3 + } + }, + { + "id": 8403721659377017, + "definition": { + "title": "Top users with certificates export", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:certificate_export $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@usr.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 4, + "width": 3, + "height": 3 + } + }, + { + "id": 6325792785390922, + "definition": { + "title": "Total kerberos keytab added", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:kerberos_keytab_added $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 3, + "height": 3 + } + }, + { + "id": 8105374493189534, + "definition": { + "title": "Total kerberos keytab removed", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:kerberos_keytab_removed $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 3, + "y": 7, + "width": 3, + "height": 3 + } + }, + { + "id": 1005520441134464, + "definition": { + "title": "Kerberos keytab changes over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:(kerberos_keytab_added OR kerberos_keytab_removed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@evt.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 3 + } + }, + { + "id": 2127012295377883, + "definition": { + "title": "Top kerberos principals affected", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:(kerberos_keytab_added OR kerberos_keytab_removed) $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@principal", + "@evt.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 3, + "height": 3 + } + }, + { + "id": 3602001996344709, + "definition": { + "title": "Top keytab additions by encryption type", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:kerberos_keytab_added $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@enctype" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 10, + "width": 3, + "height": 3 + } + }, + { + "id": 6554189351815680, + "definition": { + "title": "Keytab version numbers", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:kerberos_keytab_added $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@vno" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ] + } + ], + "style": { + "display": { + "type": "stacked" + } + } + }, + "layout": { + "x": 6, + "y": 10, + "width": 6, + "height": 3 + } + }, + { + "id": 7055583339275705, + "definition": { + "title": "Top principals affected by kerberos removal", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:kerberos_keytab_removed $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@principal" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 13, + "width": 3, + "height": 3 + } + }, + { + "id": 5804030319034416, + "definition": { + "title": "Vault password rotation", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:vault_account_password_rotation $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 3, + "y": 13, + "width": 3, + "height": 3 + } + }, + { + "id": 206205172450806, + "definition": { + "title": "Vault password rotation over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:vault_account_password_rotation $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@status" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 13, + "width": 6, + "height": 3 + } + }, + { + "id": 7709470855058288, + "definition": { + "title": "Rotation success vs failure distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:vault_account_password_rotation $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@status" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 6, + "height": 3 + } + }, + { + "id": 1055296874114486, + "definition": { + "title": "Top rotation failure reasons", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:vault_account_password_rotation @status:failure $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@reason" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 16, + "width": 6, + "height": 3 + } + }, + { + "id": 7613651748231934, + "definition": { + "title": "Top rotated vault accounts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:vault_account_password_rotation $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@account" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 19, + "width": 3, + "height": 3 + } + }, + { + "id": 5953627590041989, + "definition": { + "title": "Vault rotation audit details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:vault_account_password_rotation $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@account", + "@status", + "@usr.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "Vault Rotation", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 3, + "y": 19, + "width": 9, + "height": 3 + } + }, + { + "id": 6112075859609600, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:cryptography-and-secrets-protection @evt.name:(certificate_export OR kerberos_keytab_added OR kerberos_keytab_removed OR vault_account_password_rotation) $user_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 22, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 78, + "width": 12, + "height": 26 + } + } + ], + "template_variables": [ + { + "name": "user_name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "source_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "event_name", + "prefix": "@evt.name", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/beyondtrust_privileged_remote_access/assets/dashboards/beyondtrust_pra_identity_and_user_activity.json b/beyondtrust_privileged_remote_access/assets/dashboards/beyondtrust_pra_identity_and_user_activity.json new file mode 100644 index 0000000000000..a546e98473523 --- /dev/null +++ b/beyondtrust_privileged_remote_access/assets/dashboards/beyondtrust_pra_identity_and_user_activity.json @@ -0,0 +1,3841 @@ +{ + "title": "BeyondTrust PRA Identity and User Activity", + "description": "This dashboard provides comprehensive insights into how users access and interact with privileged systems. It highlights account changes, access configuration updates, and reporting actions to help security teams spot unusual behavior.", + "widgets": [ + { + "id": 4197336308169122, + "definition": { + "type": "image", + "url": "https://assets.beyondtrust.com/assets/images/products/icons/pra-icon.svg", + "url_dark_theme": "https://assets.beyondtrust.com/assets/images/products/icons/pra-icon.svg", + "sizing": "contain", + "margin": "md", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 120141214903234, + "definition": { + "type": "note", + "content": "This dashboard provides comprehensive insights into how users access and interact with privileged systems. It highlights account changes, access configuration updates, and reporting actions to help security teams spot unusual behavior.\n\nFor more information, see the [BeyondTrust Privileged Remote Access Integration Documentation](https://docs.datadoghq.com/integrations/beyondtrust_privileged_remote_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "white", + "font_size": "16", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 8511518354918869, + "definition": { + "title": "Overview", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3070928350460049, + "definition": { + "type": "note", + "content": "Provides consolidated visibility into privileged access configuration changes, user lifecycle management, and compliance evidence generation within BeyondTrust PRA.", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 3905947184092254, + "definition": { + "title": "Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(jumpoint-and-remote-access-management OR user-management OR reporting-and-compliance-evidence) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 6169767325443795, + "definition": { + "title": "Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(jumpoint-and-remote-access-management OR user-management OR reporting-and-compliance-evidence) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 6280056561802903, + "definition": { + "title": "Top event types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(jumpoint-and-remote-access-management OR user-management OR reporting-and-compliance-evidence) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 2438753668691057, + "definition": { + "title": "Top users", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(jumpoint-and-remote-access-management OR user-management OR reporting-and-compliance-evidence) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@usr.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ] + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 8550560496760310, + "definition": { + "title": "Geo-distribution of source IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(jumpoint-and-remote-access-management OR user-management OR reporting-and-compliance-evidence) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 5 + } + }, + { + "id": 8751669432702796, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:(jumpoint-and-remote-access-management OR user-management OR reporting-and-compliance-evidence) $usr_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 18 + } + }, + { + "id": 4610091988312752, + "definition": { + "title": "Jumpoint & Remote Access Management", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8213970726888340, + "definition": { + "type": "note", + "content": "A centralized view of remote access configuration changes. It shows how often jumpoints, tunnel jump items, and remote access objects are added, changed, or removed, who made the changes, which systems and IPs are involved, and detailed logs.", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 3852048470658640, + "definition": { + "title": "Jumpoint Cluster Activities", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_cluster_added OR jumpoint_cluster_changed OR jumpoint_cluster_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 5295896617208697, + "definition": { + "title": "Activities over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_cluster_added OR jumpoint_cluster_changed OR jumpoint_cluster_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 2591235048376703, + "definition": { + "title": "Top users by cluster activities", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_cluster_added OR jumpoint_cluster_changed OR jumpoint_cluster_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@usr.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 6049057125659530, + "definition": { + "title": "Top IPs by cluster activities", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_cluster_added OR jumpoint_cluster_changed OR jumpoint_cluster_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@network.client.ip" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ] + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 3568373129874596, + "definition": { + "title": "Top activities by code names", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_cluster_added OR jumpoint_cluster_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@code_name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ] + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 2509512864717251, + "definition": { + "title": "Distribution of activities by event type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_cluster_added OR jumpoint_cluster_changed OR jumpoint_cluster_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 3 + } + }, + { + "id": 395098697408999, + "definition": { + "title": "Allowed shell jump activities", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_cluster_added OR jumpoint_cluster_removed) @shelljump:1 $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 998226152371147, + "definition": { + "title": "Blocked shell jump activities", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_cluster_added OR jumpoint_cluster_removed) @shelljump:0 $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 9, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 6640707328038435, + "definition": { + "title": "Distribution of activities by allowed protocol tunnel jump", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_cluster_added OR jumpoint_cluster_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@network_tunnel_value" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 5, + "height": 4 + } + }, + { + "id": 3427687701889976, + "definition": { + "title": "Top platforms by jumpoint cluster", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_cluster_added OR jumpoint_cluster_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@platform" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 5, + "y": 11, + "width": 3, + "height": 4 + } + }, + { + "id": 6006737001775032, + "definition": { + "title": "Distribution of activities by status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_cluster_added OR jumpoint_cluster_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@jumpoint_status_value" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "inline" + } + }, + "layout": { + "x": 8, + "y": 11, + "width": 4, + "height": 4 + } + }, + { + "id": 4475973515614711, + "definition": { + "title": "Jumpoint cluster changes", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:jumpoint_cluster_changed $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 3, + "height": 3 + } + }, + { + "id": 6808891644278630, + "definition": { + "title": "Jumpoint cluster changes over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:jumpoint_cluster_changed $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 15, + "width": 9, + "height": 3 + } + }, + { + "id": 8207288854077247, + "definition": { + "title": "Jumpoint cluster change details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:jumpoint_cluster_changed $usr_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 18, + "width": 12, + "height": 3 + } + }, + { + "id": 3723014145402756, + "definition": { + "title": "Jumpoint user management activities", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_user_added OR jumpoint_user_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 21, + "width": 3, + "height": 3 + } + }, + { + "id": 2328462711502853, + "definition": { + "title": "Jumpoint user management activities over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_user_added OR jumpoint_user_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 21, + "width": 9, + "height": 3 + } + }, + { + "id": 5491734779987515, + "definition": { + "title": "Top users by jumpoint user management activities", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_user_added OR jumpoint_user_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@usr.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 24, + "width": 6, + "height": 3 + } + }, + { + "id": 6009554571941356, + "definition": { + "title": "Distribution of jumpoint user management activities", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_user_added OR jumpoint_user_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 24, + "width": 6, + "height": 3 + } + }, + { + "id": 7435286005133661, + "definition": { + "title": "Jumpoint user management activity details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(jumpoint_user_added OR jumpoint_user_removed) $usr_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 27, + "width": 12, + "height": 3 + } + }, + { + "id": 7720216974669546, + "definition": { + "title": "Network tunnel jump activities", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(network_tunnel_jump_item_added OR network_tunnel_jump_item_changed OR network_tunnel_jump_item_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 30, + "width": 3, + "height": 3 + } + }, + { + "id": 1455293761868098, + "definition": { + "title": "Network tunnel jump activities over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(network_tunnel_jump_item_added OR network_tunnel_jump_item_changed OR network_tunnel_jump_item_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 30, + "width": 9, + "height": 3 + } + }, + { + "id": 3602880104015510, + "definition": { + "title": "Top users by network tunnel jump activities", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(network_tunnel_jump_item_added OR network_tunnel_jump_item_changed OR network_tunnel_jump_item_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@usr.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 33, + "width": 3, + "height": 3 + } + }, + { + "id": 3082564291625059, + "definition": { + "title": "Top IPs by network tunnel jump activities", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(network_tunnel_jump_item_added OR network_tunnel_jump_item_changed OR network_tunnel_jump_item_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@network.client.ip" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 33, + "width": 3, + "height": 3 + } + }, + { + "id": 8237457636672957, + "definition": { + "title": "Distribution of network tunnel jump activities by event type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(network_tunnel_jump_item_added OR network_tunnel_jump_item_changed OR network_tunnel_jump_item_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 33, + "width": 6, + "height": 3 + } + }, + { + "id": 5298057534721305, + "definition": { + "title": "Network tunnel jump items by computer name", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(network_tunnel_jump_item_added OR network_tunnel_jump_item_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@computer_name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 36, + "width": 4, + "height": 3 + } + }, + { + "id": 1621705595303865, + "definition": { + "title": "Network tunnel jump item log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(network_tunnel_jump_item_added OR network_tunnel_jump_item_removed) $usr_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 36, + "width": 8, + "height": 3 + } + }, + { + "id": 1982374807112513, + "definition": { + "title": "Remote RFB jump item management activities", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(remote_rfb_jump_item_added OR remote_rfb_jump_item_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 39, + "width": 3, + "height": 3 + } + }, + { + "id": 5137427702146372, + "definition": { + "title": "Remote RFB jump item management activities over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(remote_rfb_jump_item_added OR remote_rfb_jump_item_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 39, + "width": 9, + "height": 3 + } + }, + { + "id": 6187175995946041, + "definition": { + "title": "Top users by remote RFB jump item management activities", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(remote_rfb_jump_item_added OR remote_rfb_jump_item_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@usr.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 42, + "width": 4, + "height": 3 + } + }, + { + "id": 3600314146237484, + "definition": { + "title": "Top IPs by remote RFB jump item management activities", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(remote_rfb_jump_item_added OR remote_rfb_jump_item_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@network.client.ip" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 42, + "width": 4, + "height": 3 + } + }, + { + "id": 1239852452956384, + "definition": { + "title": "Remote RFB jump items by computer name", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(remote_rfb_jump_item_added OR remote_rfb_jump_item_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@computer_name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 42, + "width": 4, + "height": 3 + } + }, + { + "id": 4336358093886049, + "definition": { + "title": "Remote RFB jump items By tag", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(remote_rfb_jump_item_added OR remote_rfb_jump_item_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@tag" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 45, + "width": 6, + "height": 3 + } + }, + { + "id": 5294123429549894, + "definition": { + "title": "Distribution of remote RFB jump item activities by event type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management @evt.name:(remote_rfb_jump_item_added OR remote_rfb_jump_item_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 45, + "width": 6, + "height": 3 + } + }, + { + "id": 2311907491171333, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:jumpoint-and-remote-access-management $usr_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 48, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 21, + "width": 12, + "height": 53 + } + }, + { + "id": 7909478939930072, + "definition": { + "title": "User Management", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5675286046627963, + "definition": { + "type": "note", + "content": "A consolidated view of user lifecycle and account-related activity. It displays how frequently users and vendor accounts are added, modified, or removed, who performed these actions, associated source IPs, and detailed logs.", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 2762808591976488, + "definition": { + "title": "User activities", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:user-management $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 250563022691421, + "definition": { + "title": "User activities over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:user-management $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 2649414706968208, + "definition": { + "title": "Top user activities", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:user-management $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 100, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@usr.name", + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 4 + } + }, + { + "id": 917988918903957, + "definition": { + "title": "Distribution of user activities by event type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:user-management $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 3, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 6316986107980382, + "definition": { + "title": "Top user activities by IP", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:user-management $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 100, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@network.client.ip", + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ] + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 4, + "width": 3, + "height": 4 + } + }, + { + "id": 5474134334015688, + "definition": { + "title": "Pending user activities", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:user-management @evt.name:(pending_user_added OR pending_user_changed OR pending_user_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 7266224336361678, + "definition": { + "title": "Pending user activities over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:user-management @evt.name:(pending_user_added OR pending_user_changed OR pending_user_removed) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 8, + "width": 9, + "height": 3 + } + }, + { + "id": 3450152796478313, + "definition": { + "title": "Pending vendor user activities", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:user-management @evt.name:(pending_vendor_user_added OR pending_vendor_user_deleted) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 5685553289587102, + "definition": { + "title": "Pending vendor user activities over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:user-management @evt.name:(pending_vendor_user_added OR pending_vendor_user_deleted) $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 11, + "width": 9, + "height": 3 + } + }, + { + "id": 1553455771138856, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:user-management $usr_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 14, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 74, + "width": 12, + "height": 19, + "is_column_break": true + } + }, + { + "id": 6752523946125238, + "definition": { + "title": "Reporting & Compliance Evidence", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5223892639858146, + "definition": { + "type": "note", + "content": "A consolidated summary of reporting and evidence-related activity. It shows when audit reports, session records, backups, and erasure actions are generated, who initiated them, and detailed logs.", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 797068877441289, + "definition": { + "title": "Report generated", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:reporting-and-compliance-evidence $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 7745136398150393, + "definition": { + "title": "Report generation over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:reporting-and-compliance-evidence $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 560660490109582, + "definition": { + "title": "Top users by report generated", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:reporting-and-compliance-evidence $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@usr.name", + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 2874093877096437, + "definition": { + "title": "Distribution of report generated by type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:reporting-and-compliance-evidence $usr_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 4748956715574704, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:reporting-and-compliance-evidence $usr_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 93, + "width": 12, + "height": 13 + } + } + ], + "template_variables": [ + { + "name": "usr_name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "source_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "event_name", + "prefix": "@evt.name", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/beyondtrust_privileged_remote_access/assets/dashboards/beyondtrust_pra_network_and_platform_security.json b/beyondtrust_privileged_remote_access/assets/dashboards/beyondtrust_pra_network_and_platform_security.json new file mode 100644 index 0000000000000..1270c60ba9241 --- /dev/null +++ b/beyondtrust_privileged_remote_access/assets/dashboards/beyondtrust_pra_network_and_platform_security.json @@ -0,0 +1,2368 @@ +{ + "title": "BeyondTrust PRA Network & Platform Security", + "description": "This dashboard provides comprehensive insights into configuration changes across network objects, routing, syslog destinations, SNMP settings, API accounts, and external security providers to support change management, audit trails, and drift detection.", + "widgets": [ + { + "id": 8889995637822191, + "definition": { + "type": "image", + "url": "https://assets.beyondtrust.com/assets/images/products/icons/pra-icon.svg", + "url_dark_theme": "https://assets.beyondtrust.com/assets/images/products/icons/pra-icon.svg", + "sizing": "contain", + "margin": "md", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 797702432985848, + "definition": { + "type": "note", + "content": "This dashboard provides comprehensive insights into configuration changes across network objects, routing, syslog destinations, SNMP settings, API accounts, and external security providers to support change management, audit trails, and drift detection.\n\nFor more information, see the [BeyondTrust Privileged Remote Access Integration Documentation](https://docs.datadoghq.com/integrations/beyondtrust_privileged_remote_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "white", + "font_size": "16", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 6482097529073432, + "definition": { + "title": "Overview", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6303386755009047, + "definition": { + "type": "note", + "content": "A quick summary of configuration changes. It shows updates to network objects, routing, syslog, SNMP, API accounts, and external security services, helping to track changes, support audits, and spot unexpected modifications.", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 2135109017017976, + "definition": { + "title": "Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(network-activity OR api-and-integration-risk) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 3181328308616578, + "definition": { + "title": "Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(network-activity OR api-and-integration-risk) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 1180011425108364, + "definition": { + "title": "Top event types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(network-activity OR api-and-integration-risk) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 7091916339696064, + "definition": { + "title": "Top users", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(network-activity OR api-and-integration-risk) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@usr.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ] + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 1153462168096031, + "definition": { + "title": "Geo-distribution of source IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:(network-activity OR api-and-integration-risk) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 5 + } + }, + { + "id": 291520775480478, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:(network-activity OR api-and-integration-risk) $event_name $user_name $source_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 18 + } + }, + { + "id": 8082743746094609, + "definition": { + "title": "Network Insights", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6783032569304986, + "definition": { + "type": "note", + "content": "A quick view of network-related changes and activity. It shows how often network settings, addresses, routes, syslog, and SNMP configurations are changed, who made the changes, which interfaces, IPs, and hosts are involved, and detailed logs for deeper investigation.", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 2090120092572397, + "definition": { + "title": "Network changes", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:network_changed $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 4671713014722895, + "definition": { + "title": "Network changes over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Network Change", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:network_changed $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 4127625539767339, + "definition": { + "title": "Top users by network changes", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:network_changed $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@usr.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 3 + } + }, + { + "id": 6136301377258563, + "definition": { + "title": "Address insights over time by action", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Address Insight", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:(network_address_added OR network_address_changed OR network_address_removed) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 4, + "width": 9, + "height": 3 + } + }, + { + "id": 6030428016309801, + "definition": { + "title": "Top IPs by network address action", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:(network_address_added OR network_address_removed) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@ip" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 2805558255072441, + "definition": { + "title": "Top hosts by network address action", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:(network_address_added OR network_address_removed) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@hostname" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 642439525799243, + "definition": { + "title": "Top interfaces by network address action", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:(network_address_added OR network_address_removed) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@interface" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 221243135116358, + "definition": { + "title": "Addresses added details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:network_address_added $event_name $user_name $source_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "ip_status_value", + "width": "auto" + }, + { + "field": "interface", + "width": "auto" + }, + { + "field": "ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + }, + { + "id": 2012850249566330, + "definition": { + "title": "SNMP configuration changes", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:SNMP_changed $event_name $user_name $source_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 4 + } + }, + { + "id": 7399941510101829, + "definition": { + "title": "Route updates", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:network_route_changed $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 19, + "width": 3, + "height": 3 + } + }, + { + "id": 8098894411286017, + "definition": { + "title": "Route updates over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Route Update", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:network_route_changed $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 19, + "width": 9, + "height": 3 + } + }, + { + "id": 3187555429708203, + "definition": { + "title": "Syslog server config changes", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:syslog_server_changed $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 22, + "width": 3, + "height": 3 + } + }, + { + "id": 7591513207179291, + "definition": { + "title": "Top users by syslog server config change", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:syslog_server_changed $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@usr.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 22, + "width": 3, + "height": 3 + } + }, + { + "id": 4843989110678089, + "definition": { + "title": "Syslog server config changes over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Syslog Server Change", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:network-activity @evt.name:syslog_server_changed $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 22, + "width": 6, + "height": 3 + } + }, + { + "id": 6112640160888389, + "definition": { + "title": "Event details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:network-activity $event_name $user_name $source_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 25, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 21, + "width": 12, + "height": 30 + } + }, + { + "id": 2100812802395623, + "definition": { + "title": "API & Integration Risk", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4005194814172293, + "definition": { + "type": "note", + "content": "A quick view of changes to API accounts and security integrations. It shows when accounts and providers are added, changed, or removed, who made the changes, activity trends over time, and detailed logs to help spot risky or unexpected actions.", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 5560661993085005, + "definition": { + "title": "API accounts added", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk @evt.name:api_account_added $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 2464225189373398, + "definition": { + "title": "API accounts removed", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk @evt.name:api_account_removed $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 3, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 4868592560265491, + "definition": { + "title": "API account activities over time by action", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "API Account Activity", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk @evt.name:(api_account_added OR api_account_changed OR api_account_removed) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 1, + "width": 6, + "height": 3 + } + }, + { + "id": 6670916316231602, + "definition": { + "title": "Top users modifying API accounts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk @evt.name:(api_account_added OR api_account_changed OR api_account_removed) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@usr.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 8308253737779276, + "definition": { + "title": "API account activities distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk @evt.name:(api_account_added OR api_account_changed OR api_account_removed) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 4, + "y": 4, + "width": 8, + "height": 4 + } + }, + { + "id": 4084687811648167, + "definition": { + "title": "Security providers added", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk @evt.name:security_provider_added $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 4061508318416752, + "definition": { + "title": "Security providers removed", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk @evt.name:security_provider_removed $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 3, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 3562199972280028, + "definition": { + "title": "Security providers activities over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Security Provider", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk @evt.name:(security_provider_added OR security_provider_changed OR security_provider_removed) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 3 + } + }, + { + "id": 7164790482328195, + "definition": { + "title": "Security provider settings removed", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk @evt.name:security_provider_setting_removed $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 2119400936817289, + "definition": { + "title": "Security provider settings added", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk @evt.name:security_provider_setting_added $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 3, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 673472996830156, + "definition": { + "title": "Security provider settings activities over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Security Provider Setting", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk @evt.name:(security_provider_setting_added OR security_provider_setting_changed OR security_provider_setting_removed) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 3 + } + }, + { + "id": 2874716777334594, + "definition": { + "title": "Top IPs modifying security provider settings", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk @evt.name:(security_provider_setting_added OR security_provider_setting_changed OR security_provider_setting_removed) $event_name $user_name $source_ip" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@network.client.ip" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 14, + "width": 4, + "height": 3 + } + }, + { + "id": 6124538268089704, + "definition": { + "title": "Security provider settings added details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk @evt.name:security_provider_setting_added $event_name $user_name $source_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 14, + "width": 8, + "height": 3 + } + }, + { + "id": 3711574620617975, + "definition": { + "title": "Event details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access service:api-and-integration-risk $event_name $user_name $source_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 17, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 51, + "width": 12, + "height": 22, + "is_column_break": true + } + } + ], + "template_variables": [ + { + "name": "user_name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "event_name", + "prefix": "@evt.name", + "available_values": [], + "default": "*" + }, + { + "name": "source_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/beyondtrust_privileged_remote_access/assets/dashboards/beyondtrust_pra_overview.json b/beyondtrust_privileged_remote_access/assets/dashboards/beyondtrust_pra_overview.json new file mode 100644 index 0000000000000..55efc50493840 --- /dev/null +++ b/beyondtrust_privileged_remote_access/assets/dashboards/beyondtrust_pra_overview.json @@ -0,0 +1,1090 @@ +{ + "title": "BeyondTrust PRA Overview", + "description": "This dashboard provides comprehensive insights into BeyondTrust PRA logs.", + "widgets": [ + { + "id": 504966419637350, + "definition": { + "type": "image", + "url": "https://assets.beyondtrust.com/assets/images/products/icons/pra-icon.svg", + "url_dark_theme": "https://assets.beyondtrust.com/assets/images/products/icons/pra-icon.svg", + "sizing": "contain", + "margin": "md", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 2791465074559515, + "definition": { + "type": "note", + "content": "[BeyondTrust Privileged Remote Access](https://www.beyondtrust.com/products/privileged-remote-access) securely manages and controls remote access to critical systems for privileged users, such as administrators, IT personnel, and third-party vendors.\n\nThis dashboard provides comprehensive insights into BeyondTrust PRA logs.\n\nFor more information, see the [BeyondTrust Privileged Remote Access Integration Documentation](https://docs.datadoghq.com/integrations/beyondtrust_privileged_remote_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "white", + "font_size": "16", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 2674381479027998, + "definition": { + "title": "Overview", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7046321506420646, + "definition": { + "type": "note", + "content": "A quick summary of overall activity. It shows the total number of events, how they change over time, the most common events and users, where the activity is coming from (by location), and detailed logs for easy review and investigation.", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 7266138334002992, + "definition": { + "title": "Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdd0a2" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 5491302647276523, + "definition": { + "title": "Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 2326722022832963, + "definition": { + "title": "Top events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@evt.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 6801568921244640, + "definition": { + "title": "Top users", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@usr.name" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ] + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 4592753572140032, + "definition": { + "title": "Top IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true, + "fields": [ + "@network.client.ip" + ] + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked" + } + } + }, + "layout": { + "x": 8, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 3041642612842479, + "definition": { + "title": "Geo-distribution of source IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:beyondtrust-privileged-remote-access $user_name $source_ip $event_name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 5 + } + }, + { + "id": 8816348374527261, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:beyondtrust-privileged-remote-access $user_name $source_ip $event_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@evt.name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 18 + } + }, + { + "id": 5675141013307606, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5234904368995564, + "definition": { + "type": "note", + "content": "Datadog Cloud SIEM analyzes and correlates the **BeyondTrust Privileged Remote Access** logs to detect threats to your environment in real time. If you don't see any signals, make sure you've enabled [Datadog Cloud SIEM](/security/overview).", + "background_color": "orange", + "font_size": "14", + "text_align": "center", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 7734943968196728, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:beyondtrust-privileged-remote-access status:critical" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 7737666602617245, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:beyondtrust-privileged-remote-access status:high" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 8960554830158664, + "definition": { + "title": "Critical security signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:beyondtrust-privileged-remote-access status:critical" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 4493280276161215, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:beyondtrust-privileged-remote-access status:medium" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 2781830780687121, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:beyondtrust-privileged-remote-access status:low" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb52b" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 3894518898570485, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:beyondtrust-privileged-remote-access status:info" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#84c1e0" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 7023869147765641, + "definition": { + "title": "High security signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:beyondtrust-privileged-remote-access status:high" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 3587219822037268, + "definition": { + "title": "Medium security signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:beyondtrust-privileged-remote-access status:medium" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 21, + "width": 12, + "height": 10, + "is_column_break": true + } + } + ], + "template_variables": [ + { + "name": "user_name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "event_name", + "prefix": "@evt.name", + "available_values": [], + "default": "*" + }, + { + "name": "source_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/beyondtrust_privileged_remote_access/assets/logs/beyondtrust-privileged-remote-access.yaml b/beyondtrust_privileged_remote_access/assets/logs/beyondtrust-privileged-remote-access.yaml new file mode 100644 index 0000000000000..65bfc776f1a2b --- /dev/null +++ b/beyondtrust_privileged_remote_access/assets/logs/beyondtrust-privileged-remote-access.yaml @@ -0,0 +1,371 @@ +id: beyondtrust-privileged-remote-access +metric_id: beyondtrust-privileged-remote-access +backend_only: false +facets: + - groups: + - Event + name: Event Name + path: evt.name + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - User + name: User ID + path: usr.id + source: log +pipeline: + type: pipeline + name: BeyondTrust Privileged Remote Access + enabled: true + filter: + query: source:beyondtrust-privileged-remote-access + processors: + - type: grok-parser + name: Parsing BeyondTrust PRA logs + enabled: true + source: message + samples: + - <133>Dec 24 00:14:20 pf60fc91 BG[51036] + 1427:01:02:site=pf60fc91.beyondtrustcloud.com;when=1766556860;who=John + Carter (john.carter@test.com);who_ip=64.252.100.129;event=jump_policy_added;authorization:allowed_approvers=0;authorization:allowed_to=1;authorization:approver_name=;authorization:email_addresses=;authorization:enabled=0 + - Jan 5 01:17:57 pf60fc91 BG[70499] + 1427:01:02:site=pf60fc91.beyondtrustcloud.com;when=1767597477;who=Sam + Carter + (sam.carter@test.com);who_ip=64.252.100.129;event=jump_policy_changed;old_authorization:allowed_approvers=0;old_authorization:allowed_to=1;old_authorization:approver_name=;old_authorization:email_addresses=;old_authorization:enabled=0;old_authorization:locale_code=en-us;old_authorization:max_duration=28800;old_authorization:approver_teams=;old_authorization:approvers=;old_code_name=jump_policy_3;old_description=;old_display_name=test73;new_display_name=test75;old_external_tools_rdp_allowed=0;old_external_tools_shell_allowed=0;old_id=8;old_notification:email_addresses=;old_notification:locale_code=en-us;old_notification:recipient_name=;old_notify_on_customer_leave=0;old_notify_on_session_start=0;old_schedule:enabled=1;old_schedule:force_end=1;old_session_recordings_disabled=0;old_simultaneous_jump_behavior_applies_to_copies=0;old_simultaneous_jumps=0;old_simultaneous_rdp_jumps=0;old_authorization:ticket_system_enabled=0;old_two_factor_challenge_required=0 + grok: + supportRules: parse_header (<%{number:syslog_priority}>)?(%{date("MMM d + HH:mm:ss")}|%{date("MMM d HH:mm:ss")}) %{notSpace:hostname} + %{notSpace:system_id}\[%{number:process_id}\] + %{number:site_id}:%{integer}:%{integer} + matchRules: rule %{parse_header}:%{data::keyvalue("=","\\]\\[{}\" + \\n:;,/!''\\(\\)*~#&$%^?+\\\\",";")} + - type: grok-parser + name: Parse `who` attribute + enabled: true + source: who + samples: + - Sam Carter (sam.carter@test.com) using oidc + - John Carter IT (john.carter@test.com) + grok: + supportRules: "" + matchRules: rule %{regex(".*?(?= \\(|$)"):usr.name}( + \(%{regex(".*?(?=\\))"):usr.email}\))?.* + - type: arithmetic-processor + name: Convert seconds to milliseconds epoch time + enabled: true + expression: when*1000 + target: when + replaceMissing: false + - type: date-remapper + name: Define `when` as the official date of the log + enabled: true + sources: + - when + - type: attribute-remapper + name: Map `event` to `evt.name` + enabled: true + sources: + - event + sourceType: attribute + target: evt.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `who_ip` to `network.client.ip` + enabled: true + sources: + - who_ip + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `user:id` to `usr.id` + enabled: true + sources: + - user:id + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: category-processor + name: Categorize `event_category` based on `evt.name` attribute + enabled: true + categories: + - filter: + query: "@evt.name:(login OR change_password OR change_username OR + admin_password_reset_to_factory_default OR fido2_credential_added + OR fido2_credential_changed OR fido2_credential_removed)" + name: identity-access + - filter: + query: "@evt.name:(group_policy_added OR group_policy_changed OR + group_policy_removed OR group_policy_member_added OR + group_policy_member_removed OR session_policy_added OR + session_policy_changed OR session_policy_removed OR + user_session_policy_added OR user_session_policy_removed)" + name: authorization-and-policy-control + - filter: + query: "@evt.name:(certificate_export OR kerberos_keytab_added OR + kerberos_keytab_removed OR vault_account_password_rotation)" + name: cryptography-and-secrets-protection + - filter: + query: "@evt.name:(jumpoint_cluster_added OR jumpoint_cluster_changed OR + jumpoint_cluster_removed OR jumpoint_user_added OR + jumpoint_user_removed OR network_tunnel_jump_item_added OR + network_tunnel_jump_item_changed OR + network_tunnel_jump_item_removed OR remote_rfb_jump_item_added OR + remote_rfb_jump_item_removed)" + name: jumpoint-and-remote-access-management + - filter: + query: "@evt.name:(user_added OR user_changed OR user_removed OR + pending_user_added OR pending_user_changed OR pending_user_removed + OR pending_vendor_user_added OR pending_vendor_user_deleted)" + name: user-management + - filter: + query: "@evt.name:(support_session_detail_generated OR + support_session_report_generated OR + support_session_summary_report_generated OR + team_activity_report_generated OR user_account_report_generated OR + vendor_activity_report_generated OR reporting_erasure OR + backup_created)" + name: reporting-and-compliance-evidence + - filter: + query: "@evt.name:(network_changed OR network_address_added OR + network_address_changed OR network_address_removed OR + network_route_changed OR syslog_server_changed OR SNMP_changed)" + name: network-activity + - filter: + query: "@evt.name:(api_account_added OR api_account_changed OR + api_account_removed OR security_provider_added OR + security_provider_changed OR security_provider_removed OR + security_provider_setting_added OR + security_provider_setting_changed OR + security_provider_setting_removed)" + name: api-and-integration-risk + target: event_category + - type: service-remapper + name: Define `event_category` as the official service of the log + enabled: true + sources: + - event_category + - type: pipeline + name: Parse FIDO2 logs + enabled: true + filter: + query: "@evt.name:(fido2_credential_added OR fido2_credential_removed)" + processors: + - name: Lookup on `roaming` attribute + enabled: true + source: roaming + target: roaming_value + lookupTable: |- + 1,the credential is cross-platform + 0,the credential is not cross-platform + type: lookup-processor + - type: pipeline + name: Parse Group Policy logs + enabled: true + filter: + query: "@evt.name:(group_policy_added OR group_policy_removed)" + processors: + - name: Lookup on `account:disabled` attribute + enabled: true + source: account:disabled + target: account_status_value + lookupTable: |- + 1,disabled + 0,enabled + type: lookup-processor + - name: Lookup on `allow_override` attribute + enabled: true + source: allow_override + target: allow_override_value + lookupTable: |- + 1,setting can be overridden by a policy with a lower priority + 0,setting cannot be overridden by a policy with a lower priority + type: lookup-processor + - name: Lookup on `login_code:enabled` attribute + enabled: true + source: login_code:enabled + target: login_code_value + lookupTable: |- + 1,users must enter an emailed login code to log in + 0,users may log in without an emailed login code + type: lookup-processor + - type: pipeline + name: Parse Network Address logs + enabled: true + filter: + query: "@evt.name:(network_address_added OR network_address_changed OR + network_address_removed)" + processors: + - name: Lookup on `enabled` attribute + enabled: true + source: enabled + target: ip_status_value + lookupTable: |- + 1,enabled + 0,disabled + type: lookup-processor + - type: pipeline + name: Parse Login User logs + enabled: true + filter: + query: "@evt.name:(user_added OR user_removed)" + processors: + - name: Lookup on `account:disabled` attribute + enabled: true + source: account:disabled + target: account_status_value + lookupTable: |- + 1,disabled + 0,enabled + type: lookup-processor + - name: Lookup on `login_code:enabled` attribute + enabled: true + source: login_code:enabled + target: login_code_value + lookupTable: |- + 1,users must enter an emailed login code to log in + 0,users may log in without an emailed login code + type: lookup-processor + - type: pipeline + name: Parse Session Policy logs + enabled: true + filter: + query: "@evt.name:(session_policy_added OR session_policy_removed)" + processors: + - name: Lookup on `automatic_privacy_screen` attribute + enabled: true + source: automatic_privacy_screen + target: automatic_privacy_screen_value + lookupTable: |- + 1,enabled + 0,disabled + type: lookup-processor + - type: pipeline + name: Parse Certificate Export logs + enabled: true + filter: + query: "@evt.name:certificate_export" + processors: + - name: Lookup on `exported_with_private_key` attribute + enabled: true + source: exported_with_private_key + target: exported_with_private_key_value + lookupTable: |- + 1,included + 0,not included + type: lookup-processor + - type: pipeline + name: Parse Jumpoint Cluster logs + enabled: true + filter: + query: "@evt.name:(jumpoint_cluster_added OR jumpoint_cluster_removed)" + processors: + - name: Lookup on `allows_multiple_nodes` attribute + enabled: true + source: allows_multiple_nodes + target: jumpoint_type_value + lookupTable: |- + 1,cluster Jumpoint + 0,standalone Jumpoint + type: lookup-processor + - name: Lookup on `disabled` attribute + enabled: true + source: disabled + target: jumpoint_status_value + lookupTable: |- + 1,disabled + 0,enabled + type: lookup-processor + - name: Lookup on `network_tunnel` attribute + enabled: true + source: network_tunnel + target: network_tunnel_value + lookupTable: |- + 1,allow protocol tunnel jumps + 0,block protocol tunnel jumps + type: lookup-processor + - type: pipeline + name: Parse Report logs + enabled: true + filter: + query: "@evt.name:(support_session_report_generated OR + support_session_detail_generated OR + support_session_summary_report_generated OR + team_activity_report_generated)" + processors: + - name: Lookup on `api` attribute + enabled: true + source: api + target: api_value + lookupTable: |- + 1,the report query was made via the API + 0,the report query was not made via the API + type: lookup-processor + - name: Lookup on `only_completed` attribute + enabled: true + source: only_completed + target: is_only_completed + lookupTable: |- + 1,completed sessions + 0,both (completed and uncompleted sessions) + type: lookup-processor + - name: Lookup on `primary_rep` attribute + enabled: true + source: primary_rep + target: session_role_value + lookupTable: |- + 1,primary + 0,participant + type: lookup-processor + - type: geo-ip-parser + name: Parsing geo-location information from source + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing diff --git a/beyondtrust_privileged_remote_access/assets/logs/beyondtrust-privileged-remote-access_tests.yaml b/beyondtrust_privileged_remote_access/assets/logs/beyondtrust-privileged-remote-access_tests.yaml new file mode 100644 index 0000000000000..0d0a0e1d09eb1 --- /dev/null +++ b/beyondtrust_privileged_remote_access/assets/logs/beyondtrust-privileged-remote-access_tests.yaml @@ -0,0 +1,270 @@ +id: "beyondtrust-privileged-remote-access" +tests: + - + sample: "<133>Jan 9 03:47:40 pf60fc91 BG[81869] 1427:01:01:event=fido2_credential_added;credential_owner_id=123;name=credential_name;roaming=1;registration_date=09-01-2026;last_used_date=09-01-2026;last_signature_count=1;when=1767953860;who=Sam5 Carter5 (sam.carter@test.ai) using oidc;who_ip=64.252.101.204;site=pf60fc91.beyondtrustcloud.com" + result: + custom: + credential_owner_id: 123 + event_category: "identity-access" + evt: + name: "fido2_credential_added" + hostname: "pf60fc91" + last_signature_count: 1 + last_used_date: "09-01-2026" + name: "credential_name" + network: + client: + geoip: {} + ip: "64.252.101.204" + process_id: 81869.0 + registration_date: "09-01-2026" + roaming: 1 + roaming_value: "the credential is cross-platform" + site: "pf60fc91.beyondtrustcloud.com" + site_id: 1427.0 + syslog_priority: 133.0 + system_id: "BG" + usr: + email: "sam.carter@test.ai" + name: "Sam5 Carter5" + when: 1.76795386E12 + who: "Sam5 Carter5 (sam.carter@test.ai) using oidc" + message: "<133>Jan 9 03:47:40 pf60fc91 BG[81869] 1427:01:01:event=fido2_credential_added;credential_owner_id=123;name=credential_name;roaming=1;registration_date=09-01-2026;last_used_date=09-01-2026;last_signature_count=1;when=1767953860;who=Sam5 Carter5 (sam.carter@test.ai) using oidc;who_ip=64.252.101.204;site=pf60fc91.beyondtrustcloud.com" + service: "identity-access" + tags: + - "source:LOGS_SOURCE" + timestamp: 1767953860000 + - + sample: "Dec 28 23:45:21 pf60fc91 BG[65890] 1427:01:09:site=pf60fc91.beyondtrustcloud.com;when=1766987121;who=John Carter IT (john.carter@test.ai);who_ip=64.252.101.204;event=group_policy_added;account:disabled=0;allow_override=0;login_code:enabled=1" + result: + custom: + account:disabled: 0 + account_status_value: "enabled" + allow_override: 0 + allow_override_value: "setting cannot be overridden by a policy with a lower priority" + event_category: "authorization-and-policy-control" + evt: + name: "group_policy_added" + hostname: "pf60fc91" + login_code:enabled: 1 + login_code_value: "users must enter an emailed login code to log in" + network: + client: + geoip: {} + ip: "64.252.101.204" + process_id: 65890.0 + site: "pf60fc91.beyondtrustcloud.com" + site_id: 1427.0 + system_id: "BG" + usr: + email: "john.carter@test.ai" + name: "John Carter IT" + when: 1.766987121E12 + who: "John Carter IT (john.carter@test.ai)" + message: "Dec 28 23:45:21 pf60fc91 BG[65890] 1427:01:09:site=pf60fc91.beyondtrustcloud.com;when=1766987121;who=John Carter IT (john.carter@test.ai);who_ip=64.252.101.204;event=group_policy_added;account:disabled=0;allow_override=0;login_code:enabled=1" + service: "authorization-and-policy-control" + tags: + - "source:LOGS_SOURCE" + timestamp: 1766987121000 + - + sample: "Jan 7 03:39:48 pf60fc91 BG[58918] 1427:01:04:site=pf60fc91.beyondtrustcloud.com;when=1767778788;who=John Carter IT (john.carter@test.ai);who_ip=64.252.100.19;event=user_added;account:disabled=0;login_code:enabled=0" + result: + custom: + account:disabled: 0 + account_status_value: "enabled" + event_category: "user-management" + evt: + name: "user_added" + hostname: "pf60fc91" + login_code:enabled: 0 + login_code_value: "users may log in without an emailed login code" + network: + client: + geoip: {} + ip: "64.252.100.19" + process_id: 58918.0 + site: "pf60fc91.beyondtrustcloud.com" + site_id: 1427.0 + system_id: "BG" + usr: + email: "john.carter@test.ai" + name: "John Carter IT" + when: 1.767778788E12 + who: "John Carter IT (john.carter@test.ai)" + message: "Jan 7 03:39:48 pf60fc91 BG[58918] 1427:01:04:site=pf60fc91.beyondtrustcloud.com;when=1767778788;who=John Carter IT (john.carter@test.ai);who_ip=64.252.100.19;event=user_added;account:disabled=0;login_code:enabled=0" + service: "user-management" + tags: + - "source:LOGS_SOURCE" + timestamp: 1767778788000 + - + sample: "<133>Jan 9 03:47:40 pf60fc91 BG[81869] 1427:01:01:event=session_policy_added;when=1767953860;who=Sam5 Carter5 (sam.carter@test.ai) using oidc;who_ip=64.252.101.204;site=pf60fc91.beyondtrustcloud.com;automatic_privacy_screen=1;code_name=code_name;description=description;id=1;name=test" + result: + custom: + automatic_privacy_screen: 1 + automatic_privacy_screen_value: "enabled" + code_name: "code_name" + description: "description" + event_category: "authorization-and-policy-control" + evt: + name: "session_policy_added" + hostname: "pf60fc91" + id: 1 + name: "test" + network: + client: + geoip: {} + ip: "64.252.101.204" + process_id: 81869.0 + site: "pf60fc91.beyondtrustcloud.com" + site_id: 1427.0 + syslog_priority: 133.0 + system_id: "BG" + usr: + email: "sam.carter@test.ai" + name: "Sam5 Carter5" + when: 1.76795386E12 + who: "Sam5 Carter5 (sam.carter@test.ai) using oidc" + message: "<133>Jan 9 03:47:40 pf60fc91 BG[81869] 1427:01:01:event=session_policy_added;when=1767953860;who=Sam5 Carter5 (sam.carter@test.ai) using oidc;who_ip=64.252.101.204;site=pf60fc91.beyondtrustcloud.com;automatic_privacy_screen=1;code_name=code_name;description=description;id=1;name=test" + service: "authorization-and-policy-control" + tags: + - "source:LOGS_SOURCE" + timestamp: 1767953860000 + - + sample: "Dec 26 06:04:28 pf60fc91 BG[75113] 0927:01:01:site=pf60fc91.beyondtrustcloud.com/appliance;when=1767953860;who=John Carter IT (john.carter@test.ai);who_ip=163.116.213.61;event=certificate_export;common_name=DigiCert Global G2 TLS RSA SHA256 2020 CA1;exported_with_private_key=1" + result: + custom: + common_name: "DigiCert Global G2 TLS RSA SHA256 2020 CA1" + event_category: "cryptography-and-secrets-protection" + evt: + name: "certificate_export" + exported_with_private_key: 1 + exported_with_private_key_value: "included" + hostname: "pf60fc91" + network: + client: + geoip: {} + ip: "163.116.213.61" + process_id: 75113.0 + site: "pf60fc91.beyondtrustcloud.com/appliance" + site_id: 927.0 + system_id: "BG" + usr: + email: "john.carter@test.ai" + name: "John Carter IT" + when: 1.76795386E12 + who: "John Carter IT (john.carter@test.ai)" + message: "Dec 26 06:04:28 pf60fc91 BG[75113] 0927:01:01:site=pf60fc91.beyondtrustcloud.com/appliance;when=1767953860;who=John Carter IT (john.carter@test.ai);who_ip=163.116.213.61;event=certificate_export;common_name=DigiCert Global G2 TLS RSA SHA256 2020 CA1;exported_with_private_key=1" + service: "cryptography-and-secrets-protection" + tags: + - "source:LOGS_SOURCE" + timestamp: 1767953860000 + - + sample: "<133>Dec 26 03:45:47 pf60fc91 BG[36689] 1427:01:01:site=pf60fc91.beyondtrustcloud.com;when=1766742347;who=John Carter IT (john.carter@test.ai);who_ip=64.252.100.173;event=jumpoint_cluster_added;code_name=jumpoint_3;comments=test;external_jump_item_network_id=;id=3;jzp_allow_http_get=0;jzp_client_address_restrictions_type=0;jzp_enabled=0;jzp_proxy_hostname=;jzp_proxy_port=9555;jzp_restricted_ips=;managed_ip_ranges=[];name=test;platform=windows-x86;rdp_service_account_id=;shelljump=0;allows_multiple_nodes=1;disabled=1;network_tunnel=0" + result: + custom: + allows_multiple_nodes: 1 + code_name: "jumpoint_3" + comments: "test" + disabled: 1 + event_category: "jumpoint-and-remote-access-management" + evt: + name: "jumpoint_cluster_added" + hostname: "pf60fc91" + id: 3 + jumpoint_status_value: "disabled" + jumpoint_type_value: "cluster Jumpoint" + jzp_allow_http_get: 0 + jzp_client_address_restrictions_type: 0 + jzp_enabled: 0 + jzp_proxy_port: 9555 + managed_ip_ranges: "[]" + name: "test" + network: + client: + geoip: {} + ip: "64.252.100.173" + network_tunnel: 0 + network_tunnel_value: "block protocol tunnel jumps" + platform: "windows-x86" + process_id: 36689.0 + shelljump: 0 + site: "pf60fc91.beyondtrustcloud.com" + site_id: 1427.0 + syslog_priority: 133.0 + system_id: "BG" + usr: + email: "john.carter@test.ai" + name: "John Carter IT" + when: 1.766742347E12 + who: "John Carter IT (john.carter@test.ai)" + message: "<133>Dec 26 03:45:47 pf60fc91 BG[36689] 1427:01:01:site=pf60fc91.beyondtrustcloud.com;when=1766742347;who=John Carter IT (john.carter@test.ai);who_ip=64.252.100.173;event=jumpoint_cluster_added;code_name=jumpoint_3;comments=test;external_jump_item_network_id=;id=3;jzp_allow_http_get=0;jzp_client_address_restrictions_type=0;jzp_enabled=0;jzp_proxy_hostname=;jzp_proxy_port=9555;jzp_restricted_ips=;managed_ip_ranges=[];name=test;platform=windows-x86;rdp_service_account_id=;shelljump=0;allows_multiple_nodes=1;disabled=1;network_tunnel=0" + service: "jumpoint-and-remote-access-management" + tags: + - "source:LOGS_SOURCE" + timestamp: 1766742347000 + - + sample: "<133>Dec 22 04:32:05 pf60fc91 BG[62465] 1427:01:01:site=pf60fc91.beyondtrustcloud.com;when=1766399525;who=John Carter (john.carter@test.ai);who_ip=64.252.101.244;event=support_session_report_generated;match_any=;row_start=0;row_count=15;api=0;only_completed=0;primary_rep=0" + result: + custom: + api: 0 + api_value: "the report query was not made via the API" + event_category: "reporting-and-compliance-evidence" + evt: + name: "support_session_report_generated" + hostname: "pf60fc91" + is_only_completed: "both (completed and uncompleted sessions)" + network: + client: + geoip: {} + ip: "64.252.101.244" + only_completed: 0 + primary_rep: 0 + process_id: 62465.0 + row_count: 15 + row_start: 0 + session_role_value: "participant" + site: "pf60fc91.beyondtrustcloud.com" + site_id: 1427.0 + syslog_priority: 133.0 + system_id: "BG" + usr: + email: "john.carter@test.ai" + name: "John Carter" + when: 1.766399525E12 + who: "John Carter (john.carter@test.ai)" + message: "<133>Dec 22 04:32:05 pf60fc91 BG[62465] 1427:01:01:site=pf60fc91.beyondtrustcloud.com;when=1766399525;who=John Carter (john.carter@test.ai);who_ip=64.252.101.244;event=support_session_report_generated;match_any=;row_start=0;row_count=15;api=0;only_completed=0;primary_rep=0" + service: "reporting-and-compliance-evidence" + tags: + - "source:LOGS_SOURCE" + timestamp: 1766399525000 + - + sample: "<133>Dec 22 04:32:05 pf60fc91 BG[62465] 1427:01:01:site=pf60fc91.beyondtrustcloud.com;when=1766399525;who=John Carter (john.carter@test.ai);who_ip=64.252.101.244;event=network_address_added;enabled=1;interface=intf1;ip=10.10.10.10" + result: + custom: + enabled: 1 + event_category: "network-activity" + evt: + name: "network_address_added" + hostname: "pf60fc91" + interface: "intf1" + ip: "10.10.10.10" + ip_status_value: "enabled" + network: + client: + geoip: {} + ip: "64.252.101.244" + process_id: 62465.0 + site: "pf60fc91.beyondtrustcloud.com" + site_id: 1427.0 + syslog_priority: 133.0 + system_id: "BG" + usr: + email: "john.carter@test.ai" + name: "John Carter" + when: 1.766399525E12 + who: "John Carter (john.carter@test.ai)" + message: "<133>Dec 22 04:32:05 pf60fc91 BG[62465] 1427:01:01:site=pf60fc91.beyondtrustcloud.com;when=1766399525;who=John Carter (john.carter@test.ai);who_ip=64.252.101.244;event=network_address_added;enabled=1;interface=intf1;ip=10.10.10.10" + service: "network-activity" + tags: + - "source:LOGS_SOURCE" + timestamp: 1766399525000 diff --git a/beyondtrust_privileged_remote_access/changelog.d/22381.added b/beyondtrust_privileged_remote_access/changelog.d/22381.added new file mode 100644 index 0000000000000..aa949b47b7b41 --- /dev/null +++ b/beyondtrust_privileged_remote_access/changelog.d/22381.added @@ -0,0 +1 @@ +Initial Release \ No newline at end of file diff --git a/beyondtrust_privileged_remote_access/datadog_checks/beyondtrust_privileged_remote_access/__about__.py b/beyondtrust_privileged_remote_access/datadog_checks/beyondtrust_privileged_remote_access/__about__.py new file mode 100644 index 0000000000000..e50f43adfb9b1 --- /dev/null +++ b/beyondtrust_privileged_remote_access/datadog_checks/beyondtrust_privileged_remote_access/__about__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2026-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__version__ = '0.0.1' diff --git a/beyondtrust_privileged_remote_access/datadog_checks/beyondtrust_privileged_remote_access/__init__.py b/beyondtrust_privileged_remote_access/datadog_checks/beyondtrust_privileged_remote_access/__init__.py new file mode 100644 index 0000000000000..ade42e6c9dbf7 --- /dev/null +++ b/beyondtrust_privileged_remote_access/datadog_checks/beyondtrust_privileged_remote_access/__init__.py @@ -0,0 +1,6 @@ +# (C) Datadog, Inc. 2026-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +from .__about__ import __version__ + +__all__ = ['__version__'] diff --git a/beyondtrust_privileged_remote_access/datadog_checks/beyondtrust_privileged_remote_access/data/conf.yaml.example b/beyondtrust_privileged_remote_access/datadog_checks/beyondtrust_privileged_remote_access/data/conf.yaml.example new file mode 100644 index 0000000000000..67aedcc3062b0 --- /dev/null +++ b/beyondtrust_privileged_remote_access/datadog_checks/beyondtrust_privileged_remote_access/data/conf.yaml.example @@ -0,0 +1,28 @@ +## Log Section +## +## type - required - Type of log input source (tcp / udp / file / windows_event). +## port / path / channel_path - required - Set port if type is tcp or udp. +## Set path if type is file. +## Set channel_path if type is windows_event. +## source - required - Attribute that defines which integration sent the logs. +## encoding - optional - For file specifies the file encoding. Default is utf-8. Other +## possible values are utf-16-le and utf-16-be. +## service - optional - The name of the service that generates the log. +## Overrides any `service` defined in the `init_config` section. +## tags - optional - Add tags to the collected logs. +## +## Discover Datadog log collection: https://docs.datadoghq.com/logs/log_collection/ +# +# logs: +# - type: tcp +# port: +# source: beyondtrust-privileged-remote-access +# service: beyondtrust-privileged-remote-access +# log_processing_rules: +# - type: include_at_match +# name: include_pra_logs +# pattern: BG +# - type: mask_sequences +# name: remove_subsequent_segment_headers +# replace_placeholder: '' +# pattern: '\\n(<\d+>)?\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+\w+\s+[A-Z]+\[\d+\]\s+\d+:([0-9])?[2-9]+:\d+:' diff --git a/beyondtrust_privileged_remote_access/images/beyondtrust_pra_authentication_and_access_management_dark.png b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_authentication_and_access_management_dark.png new file mode 100644 index 0000000000000..7ec6b7dc34536 Binary files /dev/null and b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_authentication_and_access_management_dark.png differ diff --git a/beyondtrust_privileged_remote_access/images/beyondtrust_pra_authentication_and_access_management_light.png b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_authentication_and_access_management_light.png new file mode 100644 index 0000000000000..d27fe467430e6 Binary files /dev/null and b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_authentication_and_access_management_light.png differ diff --git a/beyondtrust_privileged_remote_access/images/beyondtrust_pra_identity_and_user_activity_dark.png b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_identity_and_user_activity_dark.png new file mode 100644 index 0000000000000..23b1024c201ae Binary files /dev/null and b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_identity_and_user_activity_dark.png differ diff --git a/beyondtrust_privileged_remote_access/images/beyondtrust_pra_identity_and_user_activity_light.png b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_identity_and_user_activity_light.png new file mode 100644 index 0000000000000..a46058aed0d7e Binary files /dev/null and b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_identity_and_user_activity_light.png differ diff --git a/beyondtrust_privileged_remote_access/images/beyondtrust_pra_network_and_platform_security_dark.png b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_network_and_platform_security_dark.png new file mode 100644 index 0000000000000..5cace0c6f3029 Binary files /dev/null and b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_network_and_platform_security_dark.png differ diff --git a/beyondtrust_privileged_remote_access/images/beyondtrust_pra_network_and_platform_security_light.png b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_network_and_platform_security_light.png new file mode 100644 index 0000000000000..0991c7802fca1 Binary files /dev/null and b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_network_and_platform_security_light.png differ diff --git a/beyondtrust_privileged_remote_access/images/beyondtrust_pra_overview_dark.png b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_overview_dark.png new file mode 100644 index 0000000000000..cf6b26771dbbc Binary files /dev/null and b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_overview_dark.png differ diff --git a/beyondtrust_privileged_remote_access/images/beyondtrust_pra_overview_light.png b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_overview_light.png new file mode 100644 index 0000000000000..22895636efdaf Binary files /dev/null and b/beyondtrust_privileged_remote_access/images/beyondtrust_pra_overview_light.png differ diff --git a/beyondtrust_privileged_remote_access/manifest.json b/beyondtrust_privileged_remote_access/manifest.json new file mode 100644 index 0000000000000..bd04429a3b608 --- /dev/null +++ b/beyondtrust_privileged_remote_access/manifest.json @@ -0,0 +1,92 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "b8fc3cea-9653-4852-905e-e6d340070b9f", + "app_id": "beyondtrust-privileged-remote-access", + "owner": "agent-integrations", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into BeyondTrust Privileged Remote Access logs.", + "title": "BeyondTrust Privileged Remote Access", + "media": [ + { + "caption": "BeyondTrust PRA Overview", + "image_url": "images/beyondtrust_pra_overview_light.png", + "media_type": "image" + }, + { + "caption": "BeyondTrust PRA Overview", + "image_url": "images/beyondtrust_pra_overview_dark.png", + "media_type": "image" + }, + { + "caption": "BeyondTrust PRA Authentication and Access Management", + "image_url": "images/beyondtrust_pra_authentication_and_access_management_light.png", + "media_type": "image" + }, + { + "caption": "BeyondTrust PRA Authentication and Access Management", + "image_url": "images/beyondtrust_pra_authentication_and_access_management_dark.png", + "media_type": "image" + }, + { + "caption": "BeyondTrust PRA Network & Platform Security", + "image_url": "images/beyondtrust_pra_network_and_platform_security_light.png", + "media_type": "image" + }, + { + "caption": "BeyondTrust PRA Network & Platform Security", + "image_url": "images/beyondtrust_pra_network_and_platform_security_dark.png", + "media_type": "image" + }, + { + "caption": "BeyondTrust PRA Identity and User Activity", + "image_url": "images/beyondtrust_pra_identity_and_user_activity_light.png", + "media_type": "image" + }, + { + "caption": "BeyondTrust PRA Identity and User Activity", + "image_url": "images/beyondtrust_pra_identity_and_user_activity_dark.png", + "media_type": "image" + } + ], + "classifier_tags": [ + "Category::Log Collection", + "Category::Security", + "Offering::Integration", + "Submitted Data Type::Logs", + "Category::Network" + ] + }, + "assets": { + "integration": { + "auto_install": true, + "source_type_id": 67604620, + "source_type_name": "BeyondTrust Privileged Remote Access", + "configuration": { + "spec": "assets/configuration/spec.yaml" + }, + "events": { + "creates_events": false + } + }, + "dashboards": { + "BeyondTrust PRA Overview": "assets/dashboards/beyondtrust_pra_overview.json", + "BeyondTrust PRA Authentication and Access Management": "assets/dashboards/beyondtrust_pra_authentication_and_access_management.json", + "BeyondTrust PRA Network & Platform Security": "assets/dashboards/beyondtrust_pra_network_and_platform_security.json", + "BeyondTrust PRA Identity and User Activity": "assets/dashboards/beyondtrust_pra_identity_and_user_activity.json" + }, + "logs": { + "source": "beyondtrust-privileged-remote-access" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +} diff --git a/beyondtrust_privileged_remote_access/pyproject.toml b/beyondtrust_privileged_remote_access/pyproject.toml new file mode 100644 index 0000000000000..6993c9fdbd23f --- /dev/null +++ b/beyondtrust_privileged_remote_access/pyproject.toml @@ -0,0 +1,59 @@ +[build-system] +requires = [ + "hatchling>=0.13.0", +] +build-backend = "hatchling.build" + +[project] +name = "datadog-beyondtrust-privileged-remote-access" +description = "The beyondtrust_privileged_remote_access check" +readme = "README.md" +license = "BSD-3-Clause" +keywords = [ + "datadog", + "datadog agent", + "datadog check", + "beyondtrust_privileged_remote_access", +] +authors = [ + { name = "Datadog", email = "packages@datadoghq.com" }, +] +classifiers = [ + "Development Status :: 5 - Production/Stable", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "License :: OSI Approved :: BSD License", + "Private :: Do Not Upload", + "Programming Language :: Python :: 3.12", + "Topic :: System :: Monitoring", +] +dependencies = [ + "datadog-checks-base>=4.2.0", +] +dynamic = [ + "version", +] + +[project.optional-dependencies] +deps = [] + +[project.urls] +Source = "https://github.com/DataDog/integrations-core" + +[tool.hatch.version] +path = "datadog_checks/beyondtrust_privileged_remote_access/__about__.py" + +[tool.hatch.build.targets.sdist] +include = [ + "/datadog_checks", + "/tests", + "/manifest.json", +] + +[tool.hatch.build.targets.wheel] +include = [ + "/datadog_checks/beyondtrust_privileged_remote_access", +] +dev-mode-dirs = [ + ".", +]