Third Party Integration Guide - BeyondTrust€¦ · Contents Contents 3 Introduction 5...

BeyondInsightThird Party Integration Guide

Version 6.4 – February 2018

Revision/Update Information: February 2018Software Version: BeyondInsight 6.4Revision Number: 0

CORPORATE HEADQUARTERS

5090 N. 40th StreetPhoenix, AZ 85018Phone: 1 818-575-4000

COPYRIGHT NOTICECopyright © 2018 BeyondTrust Software, Inc. All rights reserved.The information contained in this document is subject to change without notice.

No part of this document may be photocopied, reproduced or copied or translated in any manner to anotherlanguage without the prior written consent of BeyondTrust Software.

BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental orconsequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any otherlegal theory in connection with the furnishing, performance, or use of this material.

All brand names and product names used in this document are trademarks, registered trademarks, or trade namesof their respective holders. BeyondTrust Software is not associated with any other vendors or products mentionedin this document.

Contents

Contents 3

Introduction 5

Documentation for BeyondInsight 5Contacting Support 5

Telephone 5Privileged Account Management Support 5

Vulnerability Management Support 5

All other Regions: 5Online 5

Overview 6

BeyondTrust Integration Points 6Event Log Forwarding 7SNMP Trap Forwarding 7

BMC Remedy 10

Creating a Connector to your BMC Remedy Server 10Creating a Smart Group 11Exporting the Data 12

Exabeam 13

FireEye 14

HP ArcSight 15

IBM QRadar 16

Kenna API Connector 17

LogRhythm Syslog 19

McAfee Syslog 20

NetIQ Sentinel 21

Palo Alto 22

STIX / TAXII Connector 24

SailPoint 25

Overview 25Create the Connector 26

Contents

BeyondInsight Third Party Integration 3 © 2018. BeyondTrust Software, Inc.

Create a SailPoint User Group 27Viewing Permissions in IdentityIQ 28

ServiceNow Asset Import Connector 30

Configuring the Connector 30Creating a Smart Group 30Changing the Batch Size Limit 31

ServiceNow Export Connector 32

Example Configurations 32Export Assets 32Export Vulnerabilities 33Export Assets and Export Vulnerabilities both checked 33

Configuring the Connector 34Creating a Smart Group 35Changing the Processing Frequency 35Importing the BeyondInsight Update Set 36

Splunk 37

Configuring the Connector 37Viewing Events in Splunk 38

Examples 38

Syslog Connector 41

Third Party Credential Provider 42

Prerequisites 42Managing Credentials in BeyondInsight 45

Universal Connector 46

Contents


IntroductionThis guide provides instructions for using third party connectors to BeyondInsight.

This section includes a list of documentation for the product and where to get additional product information.

Documentation for BeyondInsightThe complete BeyondInsight documentation set includes the following:

• BeyondInsight Installation Guide

• BeyondInsight User Guide

• BeyondInsight Analytics and Reporting User Guide

• BeyondInsight Third Party Integration Guide

If you are working with any of the BeyondInsight modules, refer to the product documentation for additionalinformation about that module.

Contacting SupportFor support, go to our Customer Portal then follow the link to the product you need assistance with.

The Customer Portal contains information regarding contacting Technical Support by telephone and chat, alongwith product downloads, product installers, license management, account, latest product releases, productdocumentation, webcasts and product demos.

Telephone

Privileged Account Management SupportWithin Continental United States: 800.234.9072 Outside Continental United States: 818.575.4040

Vulnerability Management SupportNorth/South America: 866.529.2201 | 949.333.1997

+ enter access code

All other Regions:Standard Support: 949.333.1995

+ enter access code

Platinum Support: 949.333.1996

+ enter access code

Onlinehttp://www.beyondtrust.com/Resources/Support/

Introduction


http://www.beyondtrust.com/Resources/Support/

http://www.beyondtrust.com/Resources/Support/

OverviewThe BeyondInsight management console enables teams to centrally manage organization-wide IT security andcompliance initiatives from a single, web-based console. It provides discovery, prioritization, and remediation ofsecurity risks by delivering what matters the most – context.

BeyondInsight is the centerpiece of the BeyondTrust vision of Context Aware Security Intelligence which helpsorganizations answer the most pressing questions in security – what to fix first, what to fix next and why.

BeyondInsight does this through unmatched security intelligence and analytics for your entire IT landscape.

This document is intended to discuss the complementary technologies that Retina, PB EPP, PBW, PBUL, PBPS, andBeyondInsight offer to an existing infrastructure; with a technology view into escalating critical security events intoany third party solution. It highlights a critical step in the process for user and asset security events to be escalatedthe same way network management and automated help desk solutions perform these functions in a traditionalinformation technology infrastructure.

BeyondTrust Integration Points

Overview


BeyondTrust then has several integration points for access to this data. Below are the most common techniques forthird party integration.

Event Log ForwardingOne of the many functions of BeyondInsight is to duplicate stored events within the Windows Application Log. ForBeyondInsight, this setting can be found on the Connectors page, under the General section of the Configurationpage. It allows for PowerBroker and Retina events (with user defined filters) to be duplicated in the log so that alog-monitoring tool or log scraper can monitor for critical events. The high level workflow is illustrated below:

To activate this feature, in BeyondInsight click Configuration, then under General click Connectors, and then selectLocal Event Log Connector from the list and apply the appropriate settings and filters.

SNMP Trap ForwardingBeyondInsight, PowerBroker EPP, and the Retina Network Security Scanner can forward SNMP traps using versions1, 2, or 3. BeyondInsight, Retina, and specific PowerBroker solutions are also capable of forwarding events througha Syslog Dameon.

With this forwarding function, it is feasible to integrate critical event information directly into a NMS, SIM, NAC, orother log consolidation or event management system. BeyondTrust provides a standard SNMP MIB (EEYE-RETINA_EVENT-MIB) for decoding traps at the destination and is available in the “C:\Program Files\BeyondTrust\Retina5\Help\Snmp Directory”. This MIB is valid for Retina, PowerBroker, and BeyondInsight.

In BeyondInsight, the configuration for SNMP Trap Forwarding and Syslog Event Forwarding can be found on theConnectors page, under the General section of the Configuration page. Both protocols work for all data aggregatedby PowerBroker or Retina within BeyondInsight. Please note: PowerBroker UNIX Linux and PowerBroker EPP havelimited capabilities directly within the solution.

Below is a screenshot for each of these connectors:

Overview


Overview


BMC RemedyYou can export asset and vulnerability data from BeyondInsight to your BMC Remedy server.

To configure BeyondInsight, you must:

• Create a connector to Remedy.

• Create a Smart Group. The parameters configured in the Smart Group include the assets (and data) that will beexported to the Remedy system.

Your Remedy system must already have forms created to accept asset and vulnerability information.

Creating a Connector to your BMC Remedy ServerSettings from your Remedy WSDL file are required to create the connector.

Sample data from aWSDL file:

Note: Remedy web service endpoints expect a sortable date format. For example, 2009-06-15T13:45:30.

However, you can override the default format in the registry with a valid .NET date format string:

HKEY_LOCAL_MACHINE\SOFTWARE\eEye\RetinaCS\RemedyExportDateFormatString

View examples of standard date format strings here: http://msdn.microsoft.com/en-us/library/az4se3k1.aspx

To create a connector:

1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, then click BMC Remedy Connector.4. Enter a connector name, and a Remedy user name and password.

The connector name can be any name.

The credentials for the Remedy system must provide access to the web service and be able to create requests.

The Active check box is selected by default. Data is only exported when the check box is selected.

5. Select the check boxes depending on the data that you want to export: Export Assets, Export Vulnerabilities.You can select both.

6. For the export options, enter the following information:– Web Service URL - defines the location where data will be exported.

BMC Remedy


http://msdn.microsoft.com/en-us/library/az4se3k1.aspx

http://msdn.microsoft.com/en-us/library/az4se3k1.aspx

– Target Namespace - Enter the target namespace from the WSDL file.

– SOAP Action - Enter the action as defined in the WSDL file.

– Field Mappings - Enter the fields that you want to include in the export data.

The order of the fields must match the order of the fields in the WSDL file. Use the arrows to change theorder.

7. After you provide the information, click Test to ensure a connection is established to your Remedy system.Note that the test creates a record in the Remedy system.

8. Click Update.

Creating a Smart GroupAssets and vulnerabilities exported are defined in the Smart Group.

To configure the Remedy Smart Group:

1. Configure the Smart Group as usual. For more information refer to the BeyondInsight User Guide.2. In the Smart Rules Manager for Assets, under Perform Actions, select Export Data from the of actions.3. Select the name of the Remedy connector.4. Select an audit group from the list.

Only vulnerabilities in the selected audit group will be exported. All vulnerabilities for all assets will beexported if no audit group is selected.

BMC Remedy


5. Enter the expiration period, in days.Assets and vulnerabilities (depending on what is defined in the collector details) are only exported once in thedefined expiration period.

However, an item (asset or vulnerability) might be exported more than once. This might occur if, for anyreason, the item is not included in the Smart Group but then is included again later.

After the expiration period passes, the item is exported again if it remains in the Smart Group.

6. Click Save.

Exporting the DataAfter the Smart Group is created, the data is set to be collected and exported every hour on the hour.

You can change the default export time in the RemManagerSvc.exe.config file located in the BeyondInsight installdirectory.

View export results in your Remedy system.

Export results or alerts on progress are not shown in BeyondInsight.

To stop exporting data, clear the Active check box on the Remedy Connector Details page.

BMC Remedy


ExabeamCreate an Exabeam connector to send all selected event data in CEF format to the Exabeam server.

To configure:

1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, and then select Exabeam Event Forwarding.4. Enter a connector name.5. Select the Enable Event Forwarding check box.6. Select the protocol: TCP, TCP-SSL, UDP.7. Enter the host name and port for the Exabeam server.8. Select the events that you want to forward.

9. Click Verify to ensure connectivity to the server is successful.10. Click Update.

Exabeam


FireEyeThe FireEye Threat Analytics Platform (TAP) generates events securely using the cloud connector. Create theFireEye connector to send BeyondInsight events to the FireEye TAP server.

You need a FireEye Comm Broker Sender installed and available to BeyondInsight. Refer to your FireEyedocumentation or vendor to ensure the proper installation of the Comm Broker Sender.

To configure a FireEye connector:

1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, and then select FireEye TAP Cloud Collector.

4. Provide a connector name.5. Select the Enable Event Forwarding check box.6. Provide the required details for your FireEye Comm Broker Sender, including: protocol, host name, and port.7. Select the events that you want to forward.8. Click Update.

FireEye


HP ArcSightHP ArcSight is a security management application that combines event correlation and security analytics to identifyand prioritize threats.

In BeyondInsight 6.0 and later, a dedicated ArcSight connector using CEF format is available. Use the connectorover Syslog.

To configure:

1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, and then select HP ArcSight Event Forwarding.4. Select the Enable Event Forwarding check box.

5. Select the protocol: TCP, TCP-SSL, UDP.6. Enter the host name and port for the ArcSight server.7. Select the events that you want to forward.8. Click Update.

HP ArcSight


IBM QRadarIBM QRadar is a security intelligence platform that provides a unified architecture for integrating securityinformation and event management solutions.

Create a QRadar connector to send selected event data in QRadar LEEF format.

To configure a QRadar connector:

1. Log on to BeyondInsight management console and and click Configuration.2. Under General, click Connectors.3. Click +, and then select IBM QRadar.4. Provide a connector name.5. Select the Enable Event Forwarding check box.

6. Provide the required details for the QRadar server, including: protocol, host name, and port.7. Select the events that you want to forward.8. Click Update.

IBM QRadar


Kenna API ConnectorCreate a connector to forward BeyondInsight events to Kenna Security using Kenna's REST API.

You must install BeyondInsight connector in your Kenna instance. Note the connector ID from the URL.

To create a Kenna connector:

1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, and then select Kenna API Connector.4. Enter a connector name.5. Select the Enable Event Forwarding check box.6. In the Schedule Options, enter a processing interval of 300 seconds (default) or longer. Generating reports

might be process intensive depending on your environment. Enter a longer interval that suits your reportingrequirements.

7. Select a Smart RuleFilter for a datasource (optional).8. Select an endpoint:

– Kenna API Connector – The Kenna API server details.

– Host Name - The URL for your Kenna instance. For example, https://<yourinstance>/kennasecurity.com.

– Kenna API Key - The Kenna API key for your Kenna instance Settings -> Applications.

– Kenna Connector ID - The Connector ID for the 'BeyondInsight scanner' added to your Kennainstance. The ID can be found in the URL of the connector details page. For example, https://<yourinstance>/kennasecurity.com/connectors/12345 where '12345' is the connector ID.

Kenna API Connector


9. Click Send Test Event to ensure that events are sent to the Kenna endpoint.10. Click Verify to ensure connectivity to the server is successful.11. Click Update.

Kenna API Connector


LogRhythm SyslogCreate a LogRhythm connector to forward BeyondInsight events to the LogRhythm server.

1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, and then select LogRhythm Syslog.4. Provide a connector name.5. Select the Enable Event Forwarding check box.

6. Select an optional syslog facility from the list.7. Provide the required details for the LogRhythm server, including: protocol, host name, and port.8. Select the events that you want to forward.9. Click Update.

LogRhythm Syslog


McAfee SyslogMcAfee Enterprise Security Manager (ESM) is the foundation of the McAfee security information and eventmanagement solution (SIEM).

Create a connector to forward all data types to McAfee Enterprise Security Manager.

You must configure your McAfee SIEM Solution to receive Syslog Data Sources. Refer to the McAfeedocumentation "Adding Syslog Data Sources to the McAfee SIEM Solution"https://community.mcafee.com/docs/DOC-6225.

To configure:

1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, and then selectMcAfee ESM Syslog.4. Provide a connector name.5. Select the Enable Event Forwarding check box.6. Select an output format: NewLine Delimited (Default) or Tab Delimited.7. Select an optional syslog facility from the list.8. Provide the required details for the McAfee Syslog data source, including: protocol, host name, and port.9. Select the events that you want to forward.

10. Click Update.

McAfee Syslog


https://community.mcafee.com/docs/DOC-6225

NetIQ SentinelCreate a NetIQ connector to forward BeyondInsight events to the NetIQ Sentinel server in the LEEF format.

1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, and then selectNetIQ Sentinel Event Forwarding.4. Provide a connector name.5. Select the Enable Event Forwarding check box.6. Select an optional syslog facility from the list.7. Provide the required details for the Sentinel server, including: protocol, host name, and port.8. Select the events that you want to forward.

9. Click Verify to ensure connectivity to the server is successful.10. Click Update.

NetIQ Sentinel


Palo AltoBefore you create the Palo Alto connector, create an address group that includes the IP addresses.

To configure a Palo Alto connector:

1. Log on to the BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, and then select Palo Alto Connector.

4. Provide a connector name and description.5. Enter the URL address for the Palo Alto service, including the credential to access the site. Click Test

Connection to ensure the BeyondInsight server can reach the Palo Alto server.6. By default, a Palo Alto Workgroup is selected. The workgroup will be created when the connector is created.

Palo Alto


7. Select the address group that you created from the list.8. Select the Active check box to turn on synchronization.9. Select scheduling settings for when the synchronization runs.10. Select the Run immediate check box to start the synchronization after you click Update.

The first synchronization can take time. The first run includes importing the vulnerability definitions.

Palo Alto


STIX / TAXII ConnectorYou can create a connector in BeyondInsight to forward and receive privilege and vulnerability events that adhereto the STIX and TAXII industry standard specifications.

The BeyondInsight STIX/TAXII connector submits a STIX Incident Report to a TAXII Inbox service. You must have anappropriate Inbox Service configured on your TAXII services.

To configure:

1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, and then select STIX/TAXII Connector.4. Enter a connector name.5. Select the Enable Event Forwarding check box.6. Set the processing interval. The default is 300 seconds (5 minutes).7. Select the endpoint TAXII Client from the menu, and then enter the following information for the TAXII server:

– TAXII version – Select the version of TAXII on your server.

– Host Name – The URL to your TAXII Inbox service. For example,https://taxii.mitre.org/services/inbox/default/

– Authentication – Select an authentication type: Basic or None.

– Username/Password – If you select Basic authentication, enter the user name and password to access theTAXII Inbox service.

8. Click Send Test Event to ensure that events are sent to the Inbox service.9. Click Verify to ensure connectivity to the server is successful.10. Click Update.

STIX / TAXII Connector


SailPointIdentityIQ is an identity and access management solution from SailPoint.

User accounts and roles created in IdentityIQ can be imported and managed in BeyondInsight.

OverviewThe following illustrations show the use cases for SailPoint and BeyondInsight.

The first use case imports SailPoint user groups (based on SailPoint roles) in to BeyondInsight.

The second use case, sends and synchronizes permissions in BeyondInsight to IdentityIQ.

SailPoint


Create the Connector1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, and then select SailPoint Integration.4. Select the Enable SailPoint Integration check box, and then provide the following information:

– Host - The IP address or host name of the SailPoint instance.

– Port - The port to use to connect to the SailPoint MySQL instance.

– Database - Select a database type from the list: MySQL, Oracle, DB2, Microsoft SQL Server.

Note: If you are using DB2, you must install a driver package on the BeyondInsight server. The name ofthe package: ibm_data_server_driver_package_win64_v11.1. You can download the packagefrom the following web site:http://www-01.ibm.com/support/docview.wss?uid=swg21385217. Set the path in the Path toDB2 DLL box as shown in the screen capture.

– Username / Password - The database credential. The user needs Read/Write access to the STI databaseand Read access to the IdentityIQ database.

SailPoint


http://www-01.ibm.com/support/docview.wss?uid=swg21385217

5. Click Update.

After you create the connector, you can proceed with additional configuration.

Create a SailPoint User Group1. Log on to BeyondInsightmanagement console and click Configuration.2. Under Role Based Access, click Users & Groups.3. Under User Groups, click +, and then select SailPoint Group.

4. Select a SailPoint role from the list that you want to import.

SailPoint


5. Assign permissions for this group.6. Click Create.

The user accounts will be imported from SailPoint. You can then log on as these users in BeyondInsight andPassword Safe using their Active Directory credentials.

Viewing Permissions in IdentityIQPeriodically the permissions and users will be synchronized with SailPoint.

You can view BeyondInsight and Password Safe permissions in SailPoint by performing the following:

1. Log on to IdentityIQ.2. You can view the permissions in one of two places. The first is on the BeyondInsight application:3. Select the Define tab, and then select Applications.4. Select BeyondInsight from the list.5. Click Accounts.

You will see all the users associated with BeyondInsight. Click on a user to view BeyondInsightattributes.

The second way to view this data is by finding the user you are interested in:

1. Select the Define tab, and then select Identities.2. Enter the user name in the filter criteria box and search.

SailPoint


3. Click the user name to view details.4. Select the Application Accounts tab.5. Look for the BeyondInsight application and click the arrow next to it.

You will see the BeyondInsight specific attributes for this user.

Now that you can access the user specific data, clicking on any of the roles the user is associated with underBeyondInsight’s attributes will open a pop-up displaying more information.

Navigating to the Object properties tab will display its permissions query which will display all ofBeyondInsight’s PAM permission data.

SailPoint


ServiceNow Asset Import ConnectorYou can create a connector to ServiceNow that imports the asset information to the BeyondInsight database.

To configure the ServiceNow asset import connector, you must:

• Create a connection to your ServiceNow instance.

• Create a Smart Group. The parameters configured in the Smart Group include the assets (host and IP address)that will be imported from ServiceNow.

Note: BeyondInsight only supports the ServiceNow Cloud Solutions.

Configuring the ConnectorAfter the connector is tested and saved, each scheduled run retrieves ServiceNow data from the defined table thathas an entry in one of the defined fields (valid IP address or DNS defined).

Note that there might be a large number of records to import from ServiceNow. You can change the default valuein the RemManagerSvc.ece.config file. See Changing the Batch Size Limit.

After the data is retrieved, the data is stored in the BeyondInsight database.

To create the connector:

1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, then click ServiceNow Asset Importer.4. Enter a connector name.

The connector name can be any name.

5. Enter a ServiceNow user name and password.The credentials for the ServiceNow system must provide access to the web service and be able to createrequests.

6. Enter the ServiceNow URL.7. Enter the information for the ServiceNow tables that you want to import to BeyondInsight. The default values

are IP address and FQDN.The Active check box is selected by default. Asset data is only imported from ServiceNow when the check boxis selected.

8. Set the scheduling options to synchronize ServiceNow with the BeyondInsight database.9. Click Test to ensure the connection to the ServiceNow instance is working. (Optional).10. Click Update to save the settings.

Creating a Smart GroupAfter the data is in the BeyondInsight database, you can create a Smart Group based on the ServiceNow assets.When creating the Smart Group, ensure that you select the Asset Selection criteria, ServiceNow Assets, as shown:

ServiceNow Asset Import Connector


When the Smart Group processes, the DNS name is always used when it exists. The IP address is used to determineassets in the Smart Group when the check box is selected.

Changing the Batch Size LimitDepending on the environment, there might be a large number of records to import.

You can set the Import Batch Limit value in the RemManagerSvc.exe.config file located in the BeyondInsightinstallation directory. The default limit set in the file is 5,000. You cannot enter a value greater than 10,000.<Process name="servicenowimportshandler" assembly="" order="17" active="true"

accessType="internal"><Handlers>

<Handler name="ServiceNowImportsHandler" handlerType="1"runFrequency="3"frequencyType="m" referenceTime="1:00" namespace=""order="0" active="true" importBatchLimit="5000"></Handler>

</Handlers></Process>

ServiceNow Asset Import Connector

ServiceNow Export ConnectorYou can export asset and vulnerability data from BeyondInsight to your ServiceNow server.

To configure a ServiceNow connector, you must:

• Create a connection to your ServiceNow instance.

• Create a Smart Group. The parameters configured in the Smart Group include the assets (and data) that will beexported to ServiceNow. After the Smart Rule is created, the data in the rule will be refreshed and exportedevery hour (if necessary, based on the Smart Rule Action expiration period).

Note: BeyondInsight only supports the ServiceNow Cloud Solutions.

Example Configurations

Export Assets• AssetID must be mapped to a ServiceNow field

• Mapping the BeyondInsight VulnerabilityID field on the asset web service configuration will result in an assetrecord being created in Service Now for each vulnerability that it is associated with that asset.

• The ServiceNow field “name” must be mapped if Assets are being exported

BeyondInsight Asset fields available for export:

AssetID AssetName AssetRisk

DateAdded DnsName IpAddress

OperatingSystem SmartGroupName

VulnerabilityID Workgroup

Suggested MappingsServiceNow Field Data Type Asset Field Literal Value

correlation_id or customcorrelation_id field

String AssetID

correlation_display or customcorrelation_display field

String (Literal Value) BeyondInsight Asset

name String AssetName

ip_address String IpAddress

Os String OperatingSystem

Mapping of other fields as determined by user requirements

ServiceNow Export Connector


Export Vulnerabilities• Only vulnerabilities in the selected audit group will be exported. All vulnerabilities for all assets will be

exported if no audit group is selected.

• The ServiceNow field “correlation_id” must be mapped if Vulnerabilities are being exported. BeyondInsightVulnerability fields available for export:

BeyondInsight Vulnerability fields available for export:

AssetID CCEIds CVEIds

Category FirstOccurred LastOccurred

Severity VulnerabilityID VulnerabilityName

VulnerabilityDescription

Suggested MappingsServiceNow Field Data Type Asset Field Literal Value


String VulnerabilityID


String (Literal Value) BeyondInsight Vulnerability

short_description String VulnerabilityName

Work_notes String VulnerabilityDescription

Impaxt String Severity


Export Assets and Export Vulnerabilities both checkedThe following connector configuration will send for each Smart Rule the Asset once, and the list of vulnerabilitiesone by one for each Asset.

The VulnerabilityID must not be present on the Asset portion of the connector.

Suggested Asset MappingsServiceNow Field Data Type Asset Field Literal Value


String AssetID


String (Literal Value) BeyondInsight Asset

name String AssetName



ip_address String IpAddress

Os String OperatingSystem


Suggested Asset MappingsServiceNow Field Data Type Asset Field Literal Value


String AssetID


String (Literal Value) BeyondInsight Vulnerability

short_description String VulnerabilityName

Work_notes String VulnerabilityDescription

Impact String Severity

Determined by user String VulnerabilityID


Configuring the ConnectorTo create a connector:

1. Logon to the BeyondInsight management console and click Configuration.2. Click +, then click ServiceNow Connector.3. Enter a connector name, and a ServiceNow user name and password. The connector name can be any name.

The credentials for the ServiceNow system must provide access to the web service and be able to createrequests.

The Active check box is selected by default. Data is only exported when the check box is selected.

4. If you are using an older version of ServiceNow and you are using update sets, select the Using Update Setcheck box.

5. Select the check boxes depending on the data that you want to export: Export Assets, Export Vulnerabilities.You can select both.

6. For the export options, enter the following information:– Web Service URL - Enter the URL to the ServiceNow instance.

– Extended Field Mappings

– Enter the field mappings. See Example Configurations.

7. Click Test to ensure the connection to the ServiceNow instance is working. (Optional).8. Click Update to save the settings.



Creating a Smart GroupAssets and vulnerabilities exported are defined in the Smart Group.

After the Smart Group is created, the data in the rule is processed and exported every hour. You can change theprocessing time in the RemManagerSvc.exe.config file. See Changing the Processing Frequency.

To configure a Smart Group:

1. Configure the Smart Group. Refer to the BeyondInsight User Guide, section Creating a Smart Rule.2. In the Perform Actions area, select Export Data.3. Select the name of the connector.4. Select an audit group from the list.

Only vulnerabilities in the selected audit group will be exported. All vulnerabilities for all assets will beexported if no audit group is selected.

5. Enter the expiration period, in days.Assets and vulnerabilities (depending on what is defined in the collector details) are only exported once in thedefined expiration period.

However, an item (asset or vulnerability) might be exported more than once. This might occur if, for anyreason, the item is not included in the Smart Group but then is included again later.

After the expiration period passes, the item is exported again if it remains in the Smart Group.

6. Click Save.

Changing the Processing FrequencyYou can set the processing frequency value in the RemManagerSvc.exe.config file located in the BeyondInsightinstallation directory. Change the referenceTime value.<Process name="DataExportProcessor" assembly="" order="13" active="true"accessType="internal"><Handlers>

<Handler name="DataExportHandler" handlerType="1" runFrequency="1"frequencyType="h" referenceTime="1:00" namespace="" order="0"active="true"></Handler>

</Handlers></Process>

Importing the BeyondInsight Update SetThe update set provides the BeyondInsight modules and menus in your ServiceNow instance. The BeyondInsightupdate set file that you must import to your ServiceNow instance is located in the following installation directory:

%\Program Files(x86)\eEye Digital Security\Retina CS\ServiceNow

For more information, go to ServiceNow's web site:

http://wiki.servicenow.com/index.php?title=Transferring_Update_Sets



http://wiki.servicenow.com/index.php?title=Transferring_Update_Sets

SplunkSIEM products, like Splunk HTTP Event Collector, correlate information from an extensive list of security andoperational solutions to gain visibility and context within an IT environment. This procedure documents how tointegrate BeyondInsight and Splunk to help improve visibility and the decision-making processes with vulnerabilitydata.

Events from BeyondTrust's privilege access and vulnerability management tools can be forwarded to Splunk,including events from PowerBroker for Windows, PowerBroker for Unix & Linux, Retina, PowerBroker for Mac.

Configuring the ConnectorRefer to Splunk product documentation for more details on the parameters set in the connector.

As a prerequisite, you must configure an HTTP Event Collector data source in Splunk and note the API key for theconfiguration settings in the following procedure.

To configure the connection to your Splunk host:

1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, and then select Splunk HTTP EC.

4. Enter a connector name. There are no requirements on naming convention.5. Select the Enable Event Forwarding check box.6. Enter the following details for the Splunk server:

– Host name - Required. The host name or IP address for your Splunk server.

– Port - Port is required. The default is 8088.

Splunk


– Splunk API key - Required.

– Splunk Index - The name of the data repository on the Splunk server.

– Splunk Source Type - Data structure identifier for an event. The value is assigned to the event datacollected.

– Splunk Source - Source value to assign to the event data. For example, set this key to the name of theapplication you are gathering events from.

– Splunk Host - The host name for the server that you are sending events to.

7. Select the events that you want to forward.8. Click Verify.9. Click Update.

Viewing Events in SplunkAfter the data is forwarded from BeyondInsight to Splunk, you can take advantage of the view, search, and reportfeatures in Splunk.

Examples

Search on OSThe following example shows a search on OS set at "Windows, Microsoft, Windows, 7 x64, Service Pack 1"

Splunk


Output all the events that match on OS

Sample Retina Vulnerability Events

Splunk


Note: If there appears to be a discrepancy with the time of an event, verify that the Splunk host is configured touse UTC.

More information can be found on the Splunk Answer forms

https://answers.splunk.com

Splunk


Syslog ConnectorCreate a syslog connector to forward BeyondInsight events to the syslog server.

1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, and then select LogRhythm Syslog.4. Provide a connector name.5. Select the Enable Event Forwarding check box.6. Select an output format: Newline Delimited (Default) or Tab Delimited.

7. Provide the required details for the syslog server, including: protocol, host name, and port.8. Select the events that you want to forward.9. Click Update.

Syslog Connector


Third Party Credential ProviderYou can create a Third Party Credential Provider connector that can be configured to support credential providersthat accept SOAP requests to a web service. You can then use this credential to run a Retina scan.

After you create the connector:

• You can edit the connector from the Credential Management dialog box (accessible when selecting credentialsfor a scan).

• You can configure a Retina scan using the credential provided in the connector.

Note: You must be logged on as a BeyondInsight administrator to configure a third party credential provider.

PrerequisitesThe example provided here shows how to create a connector to CyberArk®'s Central Credential Provider (CCP), aSOAP API.

• You need a CCP installation including the Application Credential Provider (ACP) that is available with a CCPinstallation.

• ACP must be configured in CyberArk's Password Vault web interface (PVWA).

• The application and the credential provider user need access to the account used for scanning with Retina.

For more information, refer to the CyberArk product documentation (Central Credential Provider ImplementationGuide, Privileged Account Security Implementation Guide).

Note: The ACP by default is set to cache passwords for 3 minutes. This might cause the scan account’s passwordnot being up to date when requested from Retina. The CacheLevel parameter can either be configuredduring ACP setup , or in the AppProvider configuration found in the CyberArkApplicationPasswordProvider\Env directory.

To create a Third Party Credential Provider connector:

1. Log on to BeyondInsight management console and click Configuration.2. Under General, click Connectors.3. Click +, and then select Third Party Credential Provider.4. Enter the following details:

– Third Party Name – The name of the provider.

– Access Key – The key the user is required to enter when selecting credentials for a scan. The access keyon the connector can be changed—all credentials created by the connector will reflect the change in theiraccess key.

– Credential Type – The type of credential the connector will be creating. The credential type on connectorcan be changed—all credentials created by the connector will reflect the change in the credential type.

– Authentication Type – The web request authentication type.

– URL – The URL for the third party provider's web server.

– Namespace – The namespace of the request that the third party is expecting.

Third Party Credential Provider


– SOAP Action – The request action that the third party is expecting for password requests.

– SOAP Action Response – The request response sent from the third party.

– Request Fields – The path field is a path to the xml element where you will be storing data to send to theserver. Text separated by a slash (/) indicates XML element nesting.

Set the following fields:

Path Data TypepasswordWSRequest/AppID StringpasswordWSRequest/Safe StringpasswordWSRequest/Folder StringpasswordWSRequest/Object StringpasswordWSRequest/Reason String

– Outbound Data (CSV) – The data inserted into the "Request Fields". It is a CSV format—use a comma toseparate values. Separate different credentials with a newline. The number of values defined must matchwith the number of request fields.

Example

AppID Safe Folder Object ReasonAIMWebService,ScanAccounts,root,Operating System-WinServerLocal-Server03-scanacct,VulnerabilityScan

Note: The object needs to be the object name not the account name.



– Response Fields – The response that comes back. The path is an XPath (already beginning with a doubleslash, //) that must locate an XML element that contains the data that corresponds to the Field Name. TheDomain and Description fields are optional.

Path Data Type Field Namesns:GetPasswordResult/ns:UserName String User namens:GetPasswordResult/ns:Content String Passwordns:key[text()=’Description’]/following::ns:value[1] String Domainns:key[text()=’Domain’]/following::ns:value[1] String Description

The connector automatically generates a description if one is not available. The format is: 'third partyconnector name - user name [guid]'. The guid value is only displayed if the user name is not unique.

5. Click Test to verify connectivity to the server and ensure syntax is correct.6. Click Update.



Managing Credentials in BeyondInsightAfter you create the Third Party Credential Provider connector, you can manage the credentials in BeyondInsight.

For example, when you are setting up a scan and selecting the credentials, the credentials can be accessed on theCredential Management dialog box:



Universal ConnectorCreate a universal connector to forward events to configured listeners using an XML or JSON format.

To create a universal connector:

1. Log on to BeyondInsight management console, and click Configuration.2. Under General, click Connectors.3. Click +, and then selectUniversal Event Forwarder.4. Provide a connector name.5. Select the Enable Event Forwarding check box.6. Select an output format:

– XML - Displays the events in XML format.

– JSON - Displays the events in JSON format. Select the Use Syslog check box to add the syslog headerformat to the output file. If you use the syslog format, then you must select a facility from the list.

7. Provide the required details for the server, including: protocol, host name, and port.

8. Select the events that you want to forward.9. Click Update.

Universal Connector


Third Party Integration Guide - BeyondTrust€¦ · Contents Contents 3 Introduction 5...

Documents

Transcript of Third Party Integration Guide - BeyondTrust€¦ · Contents Contents 3 Introduction 5...