- Elastic integrations
- Integrations quick reference
- 1Password
- Abnormal Security
- ActiveMQ
- Active Directory Entity Analytics
- Admin By Request EPM integration
- Airflow
- Akamai
- Apache
- API (custom)
- Arbor Peakflow SP Logs
- Arista NG Firewall
- Atlassian
- Auditd
- Auth0
- authentik
- AWS
- Amazon CloudFront
- Amazon DynamoDB
- Amazon EBS
- Amazon EC2
- Amazon ECS
- Amazon EMR
- AWS API Gateway
- Amazon GuardDuty
- AWS Health
- Amazon Kinesis Data Firehose
- Amazon Kinesis Data Stream
- Amazon MQ
- Amazon Managed Streaming for Apache Kafka (MSK)
- Amazon NAT Gateway
- Amazon RDS
- Amazon Redshift
- Amazon S3
- Amazon S3 Storage Lens
- Amazon Security Lake
- Amazon SNS
- Amazon SQS
- Amazon VPC
- Amazon VPN
- AWS Bedrock
- AWS Billing
- AWS CloudTrail
- AWS CloudWatch
- AWS ELB
- AWS Fargate
- AWS Inspector
- AWS Lambda
- AWS Logs (custom)
- AWS Network Firewall
- AWS Route 53
- AWS Security Hub
- AWS Transit Gateway
- AWS Usage
- AWS WAF
- Azure
- Activity logs
- App Service
- Application Gateway
- Application Insights metrics
- Application Insights metrics overview
- Application State Insights metrics
- Azure logs (v2 preview)
- Azure OpenAI
- Billing metrics
- Container instance metrics
- Container registry metrics
- Container service metrics
- Custom Azure Logs
- Custom Blob Storage Input
- Database Account metrics
- Event Hub input
- Firewall logs
- Frontdoor
- Functions
- Microsoft Entra ID
- Monitor metrics
- Network Watcher VNet
- Network Watcher NSG
- Platform logs
- Resource metrics
- Spring Cloud logs
- Storage Account metrics
- Virtual machines metrics
- Virtual machines scaleset metrics
- Barracuda
- BeyondInsight and Password Safe Integration
- BitDefender
- Bitwarden
- blacklens.io
- Blue Coat Director Logs
- BBOT (Bighuge BLS OSINT Tool)
- Box Events
- Bravura Monitor
- Broadcom ProxySG
- Canva
- Cassandra
- CEL Custom API
- Ceph
- Check Point
- Cilium Tetragon
- CISA Known Exploited Vulnerabilities
- Cisco
- Cisco Meraki Metrics
- Citrix
- Claroty CTD
- Cloudflare
- Cloud Asset Inventory
- CockroachDB Metrics
- Common Event Format (CEF)
- Containerd
- CoreDNS
- Corelight
- Couchbase
- CouchDB
- Cribl
- CrowdStrike
- Cyberark
- Cybereason
- CylanceProtect Logs
- Custom Websocket logs
- Darktrace
- Data Exfiltration Detection
- DGA
- Digital Guardian
- Docker
- DomainTools Real Time Unified Feeds
- Elastic APM
- Elastic Fleet Server
- Elastic Security
- Elastic Stack monitoring
- Elasticsearch Service Billing
- Envoy Proxy
- ESET PROTECT
- ESET Threat Intelligence
- etcd
- Falco
- F5
- File Integrity Monitoring
- FireEye Network Security
- First EPSS
- Forcepoint Web Security
- ForgeRock
- Fortinet
- Gigamon
- GitHub
- GitLab
- Golang
- Google Cloud
- Custom GCS Input
- GCP
- GCP Audit logs
- GCP Billing metrics
- GCP Cloud Run metrics
- GCP CloudSQL metrics
- GCP Compute metrics
- GCP Dataproc metrics
- GCP DNS logs
- GCP Firestore metrics
- GCP Firewall logs
- GCP GKE metrics
- GCP Load Balancing metrics
- GCP Metrics Input
- GCP PubSub logs (custom)
- GCP PubSub metrics
- GCP Redis metrics
- GCP Security Command Center
- GCP Storage metrics
- GCP VPC Flow logs
- GCP Vertex AI
- GoFlow2 logs
- Hadoop
- HAProxy
- Hashicorp Vault
- HTTP Endpoint logs (custom)
- IBM MQ
- IIS
- Imperva
- InfluxDb
- Infoblox
- Iptables
- Istio
- Jamf Compliance Reporter
- Jamf Pro
- Jamf Protect
- Jolokia Input
- Journald logs (custom)
- JumpCloud
- Kafka
- Keycloak
- Kubernetes
- LastPass
- Lateral Movement Detection
- Linux Metrics
- Living off the Land Attack Detection
- Logs (custom)
- Lumos
- Lyve Cloud
- Mattermost
- Memcached
- Menlo Security
- Microsoft
- Microsoft 365
- Microsoft Defender for Cloud
- Microsoft Defender for Endpoint
- Microsoft DHCP
- Microsoft DNS Server
- Microsoft Entra ID Entity Analytics
- Microsoft Exchange Online Message Trace
- Microsoft Exchange Server
- Microsoft Graph Activity Logs
- Microsoft M365 Defender
- Microsoft Office 365 Metrics Integration
- Microsoft Sentinel
- Microsoft SQL Server
- Mimecast
- ModSecurity Audit
- MongoDB
- MongoDB Atlas
- MySQL
- Nagios XI
- NATS
- NetFlow Records
- Netskope
- Network Beaconing Identification
- Network Packet Capture
- Nginx
- Okta
- Oracle
- OpenAI
- OpenCanary
- Osquery
- Palo Alto
- pfSense
- PHP-FPM
- PingOne
- PingFederate
- Pleasant Password Server
- PostgreSQL
- Prometheus
- Proofpoint TAP
- Proofpoint On Demand
- Pulse Connect Secure
- Qualys VMDR
- QNAP NAS
- RabbitMQ Logs
- Radware DefensePro Logs
- Rapid7
- Redis
- Rubrik RSC Metrics Integration
- Sailpoint Identity Security Cloud
- Salesforce
- SentinelOne
- ServiceNow
- Slack Logs
- Snort
- Snyk
- SonicWall Firewall
- Sophos
- Spring Boot
- SpyCloud Enterprise Protection
- SQL Input
- Squid Logs
- SRX
- STAN
- Statsd Input
- Sublime Security
- Suricata
- StormShield SNS
- Symantec
- Symantec Endpoint Security
- Sysmon for Linux
- Sysdig
- Syslog Router Integration
- System
- System Audit
- Tanium
- TCP Logs (custom)
- Teleport
- Tenable
- Threat intelligence
- ThreatConnect
- Threat Map
- Thycotic Secret Server
- Tines
- Traefik
- Trellix
- Trend Micro
- TYCHON Agentless
- UDP Logs (custom)
- Universal Profiling
- Vectra Detect
- VMware
- WatchGuard Firebox
- WebSphere Application Server
- Windows
- Wiz
- Zeek
- ZeroFox
- Zero Networks
- ZooKeeper Metrics
- Zoom
- Zscaler
BeyondInsight and Password Safe Integration
editBeyondInsight and Password Safe Integration
editVersion |
0.3.0 [beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. (View all) |
Compatible Kibana version(s) |
8.15.3 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
Level of support |
Elastic |
BeyondInsight and Password Safe enable real-time monitoring of privileged account access, session recordings, and password checkout patterns to help security teams maintain compliance and quickly identify potential privilege abuse.
Data Streams
edit-
userauditProvides audit data for users that includes user actions like login, logout, password change, etc., on a machine. This data stream utilizes the BeyondInsight and Password Safe API’s/v3/UserAuditsendpoint. -
sessionProvides details on active sessions and their status with duration for an asset. This data stream utilizes the BeyondInsight and Password Safe API’s/v3/Sessionsendpoint. -
managedsystemProvides a list of managed systems. This data stream utilizes the BeyondInsight and Password Safe API’s/v3/ManagedSystemsendpoint. -
managedaccountProvides a list of managed accounts. This data stream utilizes the BeyondInsight and Password Safe API’s/v3/ManagedAccountsendpoint. -
assetProvides a list of assets. This data stream utilizes the BeyondInsight and Password Safe API’s/v3/assetsendpoint.
Requirements
editConfigure API Registration
editAdministrators can configure API key-based API registration in BeyondInsight and Password Safe. To configure the BeyondInsight and Password Safe integration, a BeyondInsight administrator needs to create an API registration and provide an API key, a username and (depending on configuration) the user’s password. In order to create the registration, the administrator may need to know the IP address of the Elastic Agent that will run the integration.
Add an API Key Policy API Registration
editHaving an admin account with beyondtrust, create an API registration as mentioned below
Create an API key policy API registration:
editLogin in to application and go to Configuration > General > API Registrations.
Click Create API Registration.
Add Authentication Options and Rules on the API Registration Details page.
Select API Key Policy from the dropdown list. The Details screen is displayed. Fill out the new API registration details, as detailed below:
If checked User Password Required option - an additional Authorization header value containing the RunAs user password is required with the web request. If not enabled, this header value does not need to be present and is ignored if provided.
Use API key with usernanme and password (if password option is opted while registration) to access the APIs. We donot use oAuth method in this integration.
Logs
editUserAudit
editUserAudit documents can be found by setting the filter event.dataset :"beyondinsight_password_safe.useraudit".
Example
An example event for useraudit looks as following:
{ "@timestamp": "2025-01-22T18:19:25.637Z", "agent": { "ephemeral_id": "f94c5e7a-6c1c-44dd-88a4-9745f5ee5af2", "id": "fd188fac-3736-4ead-b591-2ffe3fedad55", "name": "elastic-agent-49819", "type": "filebeat", "version": "8.15.0" }, "beyondinsight_password_safe": { "useraudit": { "action_type": "Login", "audit_id": 1, "create_date": "2025-01-22T18:19:25.637Z", "ipaddress": "81.2.69.142", "section": "PMM API SignAppIn", "user_id": 1, "user_name": "Administrator" } }, "data_stream": { "dataset": "beyondinsight_password_safe.useraudit", "namespace": "83646", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "fd188fac-3736-4ead-b591-2ffe3fedad55", "snapshot": false, "version": "8.15.0" }, "event": { "agent_id_status": "verified", "category": [ "iam" ], "dataset": "beyondinsight_password_safe.useraudit", "ingested": "2025-01-23T19:44:13Z", "kind": "event", "module": "beyondinsight_password_safe", "type": [ "info" ] }, "event.original": "{\"ActionType\":\"Login\",\"AuditID\":1,\"CreateDate\":\"2025-01-22T18:19:25.637Z\",\"IPAddress\":\"81.2.69.142\",\"Section\":\"PMM API SignAppIn\",\"UserID\":1,\"UserName\":\"Administrator\"}", "host": { "geo": { "city_name": "London", "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", "location": { "lat": 51.5142, "lon": -0.0931 }, "region_iso_code": "GB-ENG", "region_name": "England" }, "ip": [ "81.2.69.142" ] }, "input": { "type": "cel" }, "related": { "hosts": [ "81.2.69.142" ], "user": [ "Administrator" ] }, "tags": [ "forwarded", "beyondinsight_password_safe.useraudit" ], "user": { "id": "1", "name": "Administrator" } }
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
The following non-ECS fields are used in useraudit documents:
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
beyondinsight_password_safe.useraudit.action_type |
Action performed by the user (e.g., Login, Logout) |
keyword |
beyondinsight_password_safe.useraudit.audit_id |
Unique identifier for the audit event |
keyword |
beyondinsight_password_safe.useraudit.create_date |
Timestamp of when the user action was created |
date |
beyondinsight_password_safe.useraudit.ipaddress |
IP address from which the user action originated |
keyword |
beyondinsight_password_safe.useraudit.section |
Section or feature where the action took place |
keyword |
beyondinsight_password_safe.useraudit.user_id |
Unique identifier for the user |
keyword |
beyondinsight_password_safe.useraudit.user_name |
Username of the user performing the action |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
input.type |
Input type. |
keyword |
Session
editSession documents can be found by setting the filter event.dataset :"beyondinsight_password_safe.session".
Example
An example event for session looks as following:
{ "@timestamp": "2025-01-27T17:12:48.443Z", "agent": { "ephemeral_id": "916661e9-ed15-4d6f-bfcf-5c5704a5c1ec", "id": "650cd1fc-0c46-4ef4-b269-1112fb37690e", "name": "elastic-agent-17681", "type": "filebeat", "version": "8.15.0" }, "beyondinsight_password_safe": { "session": { "archive_status": "not_archived", "asset_name": "localhost", "duration": 0, "managed_account_name": "example.com\\sdfsfdf", "managed_system_id": 13, "node_id": "a5c29153-b351-41f1-a12b-0c4da9408d79", "protocol": "rdp", "record_key": "3958d725d16119a95e64af424a7f8dfsf13f1fgffbe4a6cd34earwr324454bcecce70ee37cbaed", "session_id": 1, "status": "not_started", "user_id": 6 } }, "data_stream": { "dataset": "beyondinsight_password_safe.session", "namespace": "97390", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "650cd1fc-0c46-4ef4-b269-1112fb37690e", "snapshot": false, "version": "8.15.0" }, "event": { "agent_id_status": "verified", "category": [ "session" ], "dataset": "beyondinsight_password_safe.session", "duration": 0, "id": "1", "ingested": "2025-01-27T17:12:51Z", "kind": "event", "module": "beyondinsight_password_safe", "type": [ "info" ] }, "input": { "type": "cel" }, "network": { "protocol": [ "rdp" ] }, "related": { "user": [ "6" ] }, "tags": [ "forwarded", "beyondinsight_password_safe.session" ] }
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
The following non-ECS fields are used in session documents:
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
beyondinsight_password_safe.session.archive_status |
Session archive status (applicable only when Session Archiving is enabled and configured) |
keyword |
beyondinsight_password_safe.session.asset_name |
Name of the asset |
keyword |
beyondinsight_password_safe.session.duration |
Duration of the session in seconds |
integer |
beyondinsight_password_safe.session.end_time |
End date/time of the session |
date |
beyondinsight_password_safe.session.managed_account_id |
ID of the target managed account |
integer |
beyondinsight_password_safe.session.managed_account_name |
Name of the target managed account |
keyword |
beyondinsight_password_safe.session.managed_system_id |
ID of the target managed system |
integer |
beyondinsight_password_safe.session.node_id |
ID of the session node |
keyword |
beyondinsight_password_safe.session.protocol |
Protocol used for the session |
keyword |
beyondinsight_password_safe.session.record_key |
Record key use for the session replay |
keyword |
beyondinsight_password_safe.session.session_id |
ID of the session |
keyword |
beyondinsight_password_safe.session.start_time |
Start date/time of the session |
date |
beyondinsight_password_safe.session.status |
Status of the session |
keyword |
beyondinsight_password_safe.session.user_id |
ID of the user |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
constant_keyword |
|
event.module |
constant_keyword |
|
input.type |
Input type |
keyword |
ManagedSystem
editManagedSystem documents can be found by setting the filter event.dataset :"beyondinsight_password_safe.managedsystem".
Example
An example event for managedsystem looks as following:
{ "@timestamp": "2025-01-22T15:49:41.840Z", "agent": { "ephemeral_id": "7e0dfb55-466e-46e3-9e71-7a4795e090c0", "id": "e655de3d-fd7b-4d3d-a45c-345d2af423f9", "name": "elastic-agent-92943", "type": "filebeat", "version": "8.15.0" }, "beyondinsight_password_safe": { "managedsystem": { "account_name_format": 0, "asset_id": 13, "auto_management_flag": true, "change_frequency_days": 30, "change_frequency_type": "first", "change_password_after_any_release_flag": false, "change_time": "23:30", "check_password_flag": false, "dns_name": "AardvarkAgreement.example.com", "dsskey_rule_id": 0, "entity_type_id": 1, "functional_account_id": 14, "host_name": "AardvarkAgreement", "ipaddress": "172.16.152.110", "is_application_host": false, "isarelease_duration": 120, "managed_system_id": 13, "max_release_duration": 525600, "password_rule_id": 0, "platform_id": 4, "release_duration": 120, "remote_client_type": "None", "reset_password_on_mismatch_flag": false, "ssh_key_enforcement_mode": "None", "system_name": "AardvarkAgreement", "timeout": 30, "workgroup_id": 1 } }, "data_stream": { "dataset": "beyondinsight_password_safe.managedsystem", "namespace": "58943", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "e655de3d-fd7b-4d3d-a45c-345d2af423f9", "snapshot": false, "version": "8.15.0" }, "event": { "agent_id_status": "verified", "category": [ "iam" ], "dataset": "beyondinsight_password_safe.managedsystem", "ingested": "2025-01-22T15:49:44Z", "kind": "asset", "module": "beyondinsight_password_safe", "type": [ "info" ] }, "host": { "domain": "AardvarkAgreement.example.com", "ip": [ "172.16.152.110", "172.16.152.110" ], "name": "AardvarkAgreement" }, "input": { "type": "cel" }, "related": { "hosts": [ "AardvarkAgreement", "AardvarkAgreement.example.com", "172.16.152.110" ] }, "tags": [ "forwarded", "beyondinsight_password_safe.managedsystem" ] }
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
The following non-ECS fields are used in managedsystem documents:
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
beyondinsight_password_safe.managedsystem.access_url |
URL used for cloud access. |
keyword |
beyondinsight_password_safe.managedsystem.account_name_format |
Format of the account name. |
integer |
beyondinsight_password_safe.managedsystem.application_host_id |
Managed system ID of the target application host. |
integer |
beyondinsight_password_safe.managedsystem.asset_id |
Asset ID; set if the managed system is an asset or a database. |
integer |
beyondinsight_password_safe.managedsystem.auto_management_flag |
True if password auto-management is enabled, otherwise false. |
boolean |
beyondinsight_password_safe.managedsystem.change_frequency_days |
Number of days for scheduled password changes when ChangeFrequencyType is xdays. |
integer |
beyondinsight_password_safe.managedsystem.change_frequency_type |
The change frequency for scheduled password changes. |
keyword |
beyondinsight_password_safe.managedsystem.change_password_after_any_release_flag |
True to change passwords on release of a request, otherwise false. |
boolean |
beyondinsight_password_safe.managedsystem.change_time |
UTC time of day for scheduled password changes in 24hr format. |
keyword |
beyondinsight_password_safe.managedsystem.check_password_flag |
True to enable password testing, otherwise false. |
boolean |
beyondinsight_password_safe.managedsystem.cloud_id |
Cloud system ID; set if the managed system is a cloud system. |
integer |
beyondinsight_password_safe.managedsystem.contact_email |
Contact email for the managed system. |
keyword |
beyondinsight_password_safe.managedsystem.database_id |
Database ID; set if the managed system is a database. |
integer |
beyondinsight_password_safe.managedsystem.description |
Description of the managed system. |
keyword |
beyondinsight_password_safe.managedsystem.directory_id |
Directory ID; set if the managed system is a directory. |
integer |
beyondinsight_password_safe.managedsystem.dns_name |
DNS name of the managed system. |
keyword |
beyondinsight_password_safe.managedsystem.dsskey_rule_id |
ID of the default DSS key rule assigned to managed accounts. |
integer |
beyondinsight_password_safe.managedsystem.elevation_command |
Elevation command to use (sudo, pbrun, pmrun). |
keyword |
beyondinsight_password_safe.managedsystem.entity_type_id |
ID of the entity type. |
integer |
beyondinsight_password_safe.managedsystem.forest_name |
Forest name of the managed system. |
keyword |
beyondinsight_password_safe.managedsystem.functional_account_id |
ID of the functional account used for local managed account password changes. |
integer |
beyondinsight_password_safe.managedsystem.host_name |
Host name of the managed system. |
keyword |
beyondinsight_password_safe.managedsystem.instance_name |
Instance name of the managed system. |
keyword |
beyondinsight_password_safe.managedsystem.ipaddress |
IP address of the managed system. |
ip |
beyondinsight_password_safe.managedsystem.is_application_host |
True if the managed system can be used as an application host, otherwise false. |
boolean |
beyondinsight_password_safe.managedsystem.is_default_instance |
True if this is the default instance, otherwise false. |
boolean |
beyondinsight_password_safe.managedsystem.isarelease_duration |
Default Information Systems Administrator (ISA) release duration in minutes. |
integer |
beyondinsight_password_safe.managedsystem.login_account_id |
ID of the functional account used for SSH session logins. |
integer |
beyondinsight_password_safe.managedsystem.managed_system_id |
ID of the managed system. |
integer |
beyondinsight_password_safe.managedsystem.max_release_duration |
Default maximum release duration in minutes. |
integer |
beyondinsight_password_safe.managedsystem.net_bios_name |
Domain NetBIOS name for managed domains. |
keyword |
beyondinsight_password_safe.managedsystem.oracle_internet_directory_id |
ID of the Oracle Internet Directory. |
integer |
beyondinsight_password_safe.managedsystem.oracle_internet_directory_service_name |
Service name of the Oracle Internet Directory. |
keyword |
beyondinsight_password_safe.managedsystem.password_rule_id |
ID of the default password rule assigned to managed accounts. |
integer |
beyondinsight_password_safe.managedsystem.platform_id |
ID of the managed system platform. |
integer |
beyondinsight_password_safe.managedsystem.port |
Port used to connect to the host. |
integer |
beyondinsight_password_safe.managedsystem.release_duration |
Default release duration in minutes. |
integer |
beyondinsight_password_safe.managedsystem.remote_client_type |
Type of remote client to use. |
keyword |
beyondinsight_password_safe.managedsystem.reset_password_on_mismatch_flag |
True to queue a password change when scheduled password test fails, otherwise false. |
boolean |
beyondinsight_password_safe.managedsystem.ssh_key_enforcement_mode |
Enforcement mode for SSH host keys. |
integer |
beyondinsight_password_safe.managedsystem.system_name |
Name of the related entity (asset, directory, database, or cloud). |
keyword |
beyondinsight_password_safe.managedsystem.template |
Template used for the managed system. |
keyword |
beyondinsight_password_safe.managedsystem.timeout |
Connection timeout in seconds. |
integer |
beyondinsight_password_safe.managedsystem.use_ssl |
True if SSL is used, otherwise false. |
boolean |
beyondinsight_password_safe.managedsystem.workgroup_id |
ID of the workgroup. |
integer |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
constant_keyword |
|
event.module |
constant_keyword |
|
input.type |
Input type |
keyword |
ManagedAccount
editManagedAccount documents can be found by setting the filter event.dataset :"beyondinsight_password_safe.managedaccount".
Example
An example event for managedaccount looks as following:
{ "@timestamp": "2025-01-22T15:47:07.350Z", "agent": { "ephemeral_id": "8e90d693-2bf1-4497-aa44-b16c1aaa7922", "id": "0d069a70-4ddf-49b5-a799-1f87aeb898a6", "name": "elastic-agent-76169", "type": "filebeat", "version": "8.15.0" }, "beyondinsight_password_safe": { "managedaccount": { "account_id": "5", "account_name": "MacdonaldP.Irene", "application_display_name": "AccountingApp", "application_id": 123, "change_state": 2, "default_release_duration": 120, "domain_name": "example.com", "instance_name": "Primary", "is_changing": false, "is_isaaccess": true, "last_change_date": "2024-12-10T08:57:45.900Z", "maximum_release_duration": 525600, "next_change_date": "2024-12-12T00:00:00.000Z", "platform_id": 4, "preferred_node_id": "2ca45774-d4e0-4b8f-9b52-3f52b78ae2ca", "system_id": "5", "system_name": "KittenGrowth", "user_principal_name": "irene@example.com" } }, "data_stream": { "dataset": "beyondinsight_password_safe.managedaccount", "namespace": "66946", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "0d069a70-4ddf-49b5-a799-1f87aeb898a6", "snapshot": false, "version": "8.15.0" }, "event": { "agent_id_status": "verified", "category": [ "iam" ], "dataset": "beyondinsight_password_safe.managedaccount", "ingested": "2025-01-22T15:47:10Z", "kind": "event", "module": "beyondinsight_password_safe", "type": [ "info" ] }, "host": { "domain": "example.com", "hostname": [ "KittenGrowth" ], "id": "5" }, "input": { "type": "cel" }, "related": { "hosts": [ "KittenGrowth", "5", "example.com" ], "user": [ "5", "MacdonaldP.Irene", "irene@example.com" ] }, "tags": [ "forwarded", "beyondinsight_password_safe.managedaccount" ], "user": { "email": "irene@example.com", "id": "5", "name": "MacdonaldP.Irene" } }
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
The following non-ECS fields are used in managedaccount documents:
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
beyondinsight_password_safe.managedaccount.account_id |
ID of the managed account. |
keyword |
beyondinsight_password_safe.managedaccount.account_name |
Name of the managed account. |
keyword |
beyondinsight_password_safe.managedaccount.application_display_name |
Display name of the application for application-based access. |
keyword |
beyondinsight_password_safe.managedaccount.application_id |
ID of the application for application-based access. |
keyword |
beyondinsight_password_safe.managedaccount.change_state |
The change state of the account credentials. |
integer |
beyondinsight_password_safe.managedaccount.default_release_duration |
Default release duration (minutes). |
integer |
beyondinsight_password_safe.managedaccount.domain_name |
The domain name for a domain-type account. |
keyword |
beyondinsight_password_safe.managedaccount.instance_name |
Database instance name of a database-type managed system, or empty for the default instance. |
keyword |
beyondinsight_password_safe.managedaccount.is_changing |
True if the account credentials are in the process of changing, otherwise false. |
boolean |
beyondinsight_password_safe.managedaccount.is_isaaccess |
True if the account is for Information Systems Administrator (ISA) access, otherwise false. |
boolean |
beyondinsight_password_safe.managedaccount.last_change_date |
The date and time of the last password change. |
date |
beyondinsight_password_safe.managedaccount.maximum_release_duration |
Maximum release duration (minutes). |
integer |
beyondinsight_password_safe.managedaccount.next_change_date |
The date and time of the next password change. |
date |
beyondinsight_password_safe.managedaccount.platform_id |
ID of the managed system platform. |
keyword |
beyondinsight_password_safe.managedaccount.preferred_node_id |
ID of the node that is preferred for establishing sessions. If no node is preferred, returns the local node ID. |
keyword |
beyondinsight_password_safe.managedaccount.system_id |
ID of the managed system. |
keyword |
beyondinsight_password_safe.managedaccount.system_name |
Name of the managed system. |
keyword |
beyondinsight_password_safe.managedaccount.user_principal_name |
User Principal Name of the managed account. |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
constant_keyword |
|
event.module |
constant_keyword |
|
input.type |
Input type |
keyword |
Asset
editAsset documents can be found by setting the filter event.dataset :"beyondinsight_password_safe.asset".
Example
An example event for asset looks as following:
{ "@timestamp": "2024-11-20T06:35:49.927Z", "agent": { "ephemeral_id": "ee5bb248-a156-4a58-9ff2-5cf0db711952", "id": "9d14623d-4f5b-4917-9921-c93862af36a1", "name": "elastic-agent-38826", "type": "filebeat", "version": "8.15.0" }, "beyondinsight_password_safe": { "asset": { "asset_id": 2, "asset_name": "EPINHYDW002A", "asset_type": "WorkStation", "create_date": "2024-11-20T06:12:21.047Z", "dns_name": "EPINHYDW002A", "domain_name": "Unknown", "ipaddress": "81.2.69.142", "last_update_date": "2024-11-20T06:35:49.927Z", "operating_system": "Windows 11 Enterprise", "workgroup_id": 1 } }, "data_stream": { "dataset": "beyondinsight_password_safe.asset", "namespace": "25291", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "9d14623d-4f5b-4917-9921-c93862af36a1", "snapshot": false, "version": "8.15.0" }, "event": { "agent_id_status": "verified", "category": [ "host" ], "dataset": "beyondinsight_password_safe.asset", "ingested": "2025-01-30T07:19:04Z", "kind": "asset", "module": "beyondinsight_password_safe", "type": [ "info" ] }, "host": { "domain": "Unknown", "geo": { "city_name": "London", "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", "location": { "lat": 51.5142, "lon": -0.0931 }, "region_iso_code": "GB-ENG", "region_name": "England" }, "ip": [ "81.2.69.142", "81.2.69.142" ] }, "input": { "type": "cel" }, "os": { "name": "Windows 11 Enterprise" }, "related": { "hosts": [ "Unknown", "81.2.69.142" ] }, "tags": [ "forwarded", "beyondinsight_password_safe.asset" ] }
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
The following non-ECS fields are used in asset documents:
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
beyondinsight_password_safe.asset.asset_id |
Unique identifier for the asset |
keyword |
beyondinsight_password_safe.asset.asset_name |
Name of the asset |
keyword |
beyondinsight_password_safe.asset.asset_type |
Type of the asset |
keyword |
beyondinsight_password_safe.asset.create_date |
Date the asset was created |
date |
beyondinsight_password_safe.asset.dns_name |
DNS name of the asset |
keyword |
beyondinsight_password_safe.asset.domain_name |
Domain name of the asset |
keyword |
beyondinsight_password_safe.asset.ipaddress |
IP address of the asset |
ip |
beyondinsight_password_safe.asset.last_update_date |
Date the asset was last updated |
date |
beyondinsight_password_safe.asset.mac_address |
MAC address of the asset |
keyword |
beyondinsight_password_safe.asset.operating_system |
Operating system of the asset |
keyword |
beyondinsight_password_safe.asset.workgroup_id |
Unique identifier for the workgroup |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
constant_keyword |
|
event.module |
constant_keyword |
|
input.type |
Input type |
keyword |
Changelog
editChangelog
| Version | Details | Kibana version(s) |
|---|---|---|
0.3.0 |
Enhancement (View pull request) |
— |
0.2.1 |
Bug fix (View pull request) |
— |
0.2.0 |
Enhancement (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |
On this page