BeyondTrust PM Cloud

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Connectors Index

| Attribute | Value | |:----------|:------| | Connector ID | BeyondTrustPMCloud | | Publisher | BeyondTrust | | Used in Solutions | BeyondTrustPMCloud | | Collection Method | Azure Function | | Connector Definition Files | BeyondTrustPMCloud_API_FunctionApp.json | | Ingestion API | Log Ingestion API|HTTP Data Collector API — Sibling ARM template declares DCR / Log Ingestion API resources|Connector definition requires workspace key (SharedKey pattern) | | Microsoft Learn | View on Learn |

The BeyondTrust Privilege Management Cloud data connector provides the capability to ingest activity audit logs and client event logs from BeyondTrust PM Cloud into Microsoft Sentinel.

This connector uses Azure Functions to pull data from the BeyondTrust PM Cloud API and ingest it into custom Log Analytics tables.

Tables Ingested

This connector ingests data into the following tables:

Table	Transformations	Ingestion API	Lake-Only
`BeyondTrustPM_ActivityAudits_CL`	✓	✓	✓
`BeyondTrustPM_ClientEvents_CL`	✓	✓	✓

💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.

Permissions

Resource Provider Permissions:

Workspace (Workspace): read and write permissions on the workspace are required.
Keys (Workspace): read permissions to shared keys for the workspace are required. See the documentation to learn more about workspace keys.

Custom Permissions:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions.
BeyondTrust PM Cloud API credentials: BeyondTrust PM Cloud OAuth Client ID and Client Secret are required. The API account requires the following permissions: Audit - Read Only and Reporting - Read Only

Setup Instructions

⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.

NOTE: This connector uses Azure Functions to connect to the BeyondTrust PM Cloud API to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.

NOTE: This connector uses the OAuth 2.0 client credentials flow to authenticate with the BeyondTrust PM Cloud API.

1. STEP 1 - Obtain BeyondTrust PM Cloud API credentials

Create an API Account in your BeyondTrust PM Cloud instance with OAuth API credentials (Client ID and Client Secret). The API account requires the following permissions:

Audit - Read Only
Reporting - Read Only

2. STEP 2 - Deploy the connector and the associated Azure Function

Use this method for automated deployment of the BeyondTrust PM Cloud data connector using an ARM Template.

Click the Deploy to Azure button below.
Select the preferred Subscription, Resource Group (must contain your Log Analytics workspace), and Location.
Enter the required parameters:
- Workspace Name: Name of your Log Analytics workspace (e.g., beyondtrust-pmcloud)
- BeyondTrust PM Cloud Base URL: Your tenant URL (e.g., https://yourcompany.beyondtrustcloud.com)
- BeyondTrust Client ID: OAuth Client ID from Step 1
- BeyondTrust Client Secret: OAuth Client Secret from Step 1
- Activity Audits Polling Interval: How often to collect Activity Audits (default: 15 minutes)
- Client Events Polling Interval: How often to collect Client Events (default: 5 minutes)
- Log Level: Logging level for troubleshooting (default: Information)
- Historical Data Timeframe: How far back to collect data on first run (default: 1 day)
Review advanced settings (Hosting Plan SKU, Storage Account Type) and adjust if needed.
Mark the checkbox labeled I agree to the terms and conditions stated above.
Click Purchase to deploy.
The deployment creates all required resources: Function App, Storage Account, Data Collection Endpoint, Data Collection Rules, and custom Log Analytics tables.
Data should begin flowing within 15-30 minutes of deployment.

Additional Documentation

📄 Source: [BeyondTrustPMCloud\Data Connectors\README.md](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BeyondTrustPMCloud\Data Connectors\README.md)

BeyondTrust Privilege Management Cloud Data Connector for Microsoft Sentinel

This data connector ingests security events and administrative activity from BeyondTrust Privilege Management Cloud into Microsoft Sentinel using REST API polling with Azure Functions.

📝 Note About Placeholders: Throughout this documentation, you'll see placeholders that you need to replace with your actual values:

<YOUR-FUNCTION-APP-NAME> - Your deployed function app name (e.g., beyondtrust-pmcloud-abc123xyz)

<YOUR-RESOURCE-GROUP> - Your Azure resource group name (e.g., rg-sentinel-prod)

<YOUR-WORKSPACE-NAME> - Your Log Analytics workspace name

Overview

The BeyondTrust PM Cloud Data Connector retrieves data from two primary API endpoints:

Activity Audits (/v3/ActivityAudits/Details) - Administrative and configuration activities
Client Events (/v3/Events/FromStartDate) - Endpoint security events in ECS format

The connector uses OAuth 2.0 client credentials flow for authentication and implements rate limiting to comply with BeyondTrust API limits (1000 requests per 100 seconds).

Data Tables

The connector creates two custom tables in your Log Analytics workspace:

BeyondTrustPM_ActivityAudits_CL - Management activities, policy changes, user management
BeyondTrustPM_ClientEvents_CL - Endpoint security events (process execution, authentication, etc.)

Prerequisites

BeyondTrust PM Cloud tenant with API access enabled
OAuth Client Credentials for BeyondTrust PM Cloud Management API
Azure Log Analytics workspace configured for Microsoft Sentinel (must be in the same resource group as the deployment)
Azure subscription with permissions to deploy Azure Functions and Data Collection Rules

📋 Information You'll Need Before Deployment

Before starting deployment, gather these required values:

From Azure:

Resource Group Name: The resource group containing your Log Analytics workspace (deployment will create resources here)
Workspace Name: Your Log Analytics workspace name (not the GUID - just the name)
- Navigate to: Azure Portal → Log Analytics workspaces → [Your workspace] → Overview
- Copy the workspace name (e.g., beyondtrust-pmcloud)

From BeyondTrust PM Cloud:

Tenant Name: Your BeyondTrust PM Cloud tenant name (e.g., if your URL is https://yourcompany.beyondtrustcloud.com, use yourcompany)
OAuth Client ID: From Configuration → API Clients
OAuth Client Secret: From Configuration → API Clients

Deployment

Option 1: Azure Portal (Recommended)

Click the "Deploy to Azure" button below:
Fill in the required parameters:
- WorkspaceName: Your Azure Log Analytics workspace name (e.g., beyondtrust-pmcloud)
- BeyondTrustTenantName: Your BeyondTrust PM Cloud tenant name (e.g., yourcompany)
- BeyondTrustClientId: OAuth Client ID from BeyondTrust PM Cloud
- BeyondTrustClientSecret: OAuth Client Secret from BeyondTrust PM Cloud
- ActivityAuditsPollingIntervalMinutes: Polling interval for Activity Audits (default: 15)
- ClientEventsPollingIntervalMinutes: Polling interval for Client Events (default: 5)
- HistoricalDataTimeframe: How far back to retrieve events on first run (default: 1d)
  - Format: number followed by 'd' (days), 'h' (hours), or 'm' (minutes)
  - Examples: '7d' (7 days), '12h' (12 hours), '30m' (30 minutes)
  - Use '0' to start from current time (no historical data)
Click "Review + create" and then "Create"

Note: The deployment automatically creates the custom tables (BeyondTrustPM_ActivityAudits_CL and BeyondTrustPM_ClientEvents_CL) and Data Collection Rules (DCRs) for log ingestion. No pre-deployment scripts are required.

Option 2: Azure CLI

# Create resource group
az group create --name "rg-beyondtrust-pmcloud" --location "East US"

# Deploy the template
az deployment group create `
  --resource-group "rg-beyondtrust-pmcloud" `
  --template-file "azuredeploy_BeyondTrustPMCloud_API_FunctionApp.json" `
  --parameters `
    WorkspaceName="your-workspace-name" `
    BeyondTrustTenantName="yourcompany" `
    BeyondTrustClientId="your-client-id" `
    BeyondTrustClientSecret="your-client-secret" `
    HistoricalDataTimeframe="1d"

Configuration

BeyondTrust PM Cloud Setup

Create API Client:
- Log into your BeyondTrust PM Cloud management console
- Navigate to Configuration > API Clients
- Create a new API client with the required permissions for Activity Audits and Events
- Note the Client ID and Client Secret
Required API Permissions:
- urn:management:api scope
- Access to /v3/ActivityAudits/Details endpoint
- Access to /v3/Events/FromStartDate endpoint

Polling Intervals

Important: Consider the API rate limits when setting polling intervals:

BeyondTrust PM Cloud APIs are limited to 1000 requests per 100 seconds
Default intervals are conservative but can be adjusted based on your data volume
Activity Audits: Default 15 minutes (administrative events, lower frequency)
Client Events: Default 5 minutes (security events, higher frequency)

Customizing Polling Intervals

You can adjust polling intervals in the Azure Function App settings:

BeyondTrust:ActivityAuditsPollingIntervalMinutes
BeyondTrust:ClientEventsPollingIntervalMinutes

Historical Data Timeframe

When the connector runs for the first time (or when state is reset), it retrieves historical events based on the HistoricalDataTimeframe parameter:

Default: 1d (1 day of historical data)
Format: Number followed by 'd' (days), 'h' (hours), or 'm' (minutes)
Examples:
- 7d - Retrieve last 7 days of events
- 12h - Retrieve last 12 hours of events
- 30m - Retrieve last 30 minutes of events
- 0 - No historical data (start from current time)

Note: After the initial run, the connector tracks state and only retrieves new events since the last successful run.

You can adjust this setting in the Azure Function App settings:

BeyondTrust:HistoricalDataTimeframe (Consumption/Premium plans)
BeyondTrust__HistoricalDataTimeframe (Flex Consumption plan)

BeyondTrust PM Cloud Base URL

The connector requires your specific BeyondTrust PM Cloud base URL. For example:

If your PM Cloud portal is accessed at https://yourcompany.beyondtrustcloud.com
Enter: https://yourcompany.beyondtrustcloud.com

The connector will automatically:

Add -services to the subdomain (e.g., yourcompany-services.beyondtrustcloud.com)
Append the appropriate API paths (/management-api and /oauth/connect/token)
Handle trailing slashes appropriately

Note: If your URL already contains -services, the connector will not add it again.

Data Schema

BeyondTrustPM_ActivityAudits_CL

The Activity Audits table captures administrative and configuration changes in BeyondTrust PM Cloud with comprehensive audit details.

Core Fields:

Field	Type	Description
TimeGenerated	datetime	Log Analytics ingestion timestamp
id	int	Unique audit record ID
details	string	Description of the activity
userId	int	Numeric user ID
user	string	User who performed the action
entity	string	Type of entity modified
entityName	string	Name of the entity
auditType	string	Type of audit action
created	datetime	When the activity occurred
changedBy	string	Source of the change
timeTransmitted	datetime	When transmitted to Azure

Audit Detail Fields (dynamic type for complex nested data):

apiClientDataAuditing, computerDataAuditing, groupDataAuditing, installationKeyDataAuditing
policyDataAuditing, policyRevisionDataAuditing, settingsDataAuditing, userDataAuditing
mapToIdentityProviderGroupAuditing, openIdConfigDataAuditing, mmcRemoteClientDataAuditing
computerPolicyDataAuditing, azureADIntegrationDataAuditing, authorizationRequestDataAuditing
reputationSettingsDataAuditing, securitySettingsDataAuditing, siemIntegration* (multiple)
agentDataAuditing, managementRuleDataAuditing, autoUpdate* (multiple)
permissionGroupDataAuditing, identityProviderGroupDataAuditing

Note: Total ~40 columns. Dynamic fields contain detailed JSON objects with before/after state for configuration changes.

BeyondTrustPM_ClientEvents_CL

The Client Events table captures endpoint security events in Elastic Common Schema (ECS) format with comprehensive context.

Event Fields:

Field	Type	Description
TimeGenerated	datetime	Log Analytics ingestion timestamp
eventId	string	Unique event identifier
eventCode	string	Event type code
eventKind	string	Event kind (event, alert, etc.)
eventCategory	string	Event category
eventAction	string	Action performed
eventOutcome	string	Success/failure outcome
eventType	string	Event type classification
eventProvider	string	Event source provider
eventIngested	datetime	When event was ingested
eventReason	string	Reason for the event

Host Fields:

Field	Type	Description
hostHostname	string	Source hostname
hostName	string	Host name
hostId	string	Unique host identifier
hostIp	string	Host IP address
hostArchitecture	string	System architecture
hostDomain	string	Domain name
hostOsType	string	OS type (Windows, Linux, etc.)
hostOsPlatform	string	OS platform
hostOsName	string	OS name
hostOsVersion	string	OS version

User & Identity Fields:

Field	Type	Description
userId	string	User identifier
userName	string	Username
userDomain	string	User domain

File Fields:

Field	Type	Description
fileName	string	File name
filePath	string	Full file path
fileHashMd5	string	MD5 hash
fileHashSha1	string	SHA1 hash
fileHashSha256	string	SHA256 hash

Process Fields:

Field	Type	Description
processPid	int	Process ID
processExecutable	string	Process executable path
processCommandLine	string	Command line arguments

EPM-Specific Fields:

Field	Type	Description
epmSchemaVersion	string	EPM schema version
epmGroupId	int	EPM group ID
epmTenantId	int	EPM tenant ID
epmEventAction	string	EPM-specific action
epmEventType	string	EPM-specific event type

Additional Fields:

Field	Type	Description
ecsVersion	string	ECS version
tags	string	Event tags
timestamp	datetime	Original event timestamp
timeTransmitted	datetime	When transmitted to Azure

Complex Data Fields (dynamic type for nested JSON):

hostData, userData, fileData, processData, epmConfigurationData
networkData, destinationData, sourceData, relatedData

Note: Total ~50+ columns. Dynamic fields contain detailed nested objects with full context for security analysis.

Sample Queries

Activity Audits

// Recent administrative activities
BeyondTrustPM_ActivityAudits_CL
| where TimeGenerated >= ago(24h)
| project TimeGenerated, User, AuditType, Entity, EntityName, Details
| order by TimeGenerated desc

// Policy changes
BeyondTrustPM_ActivityAudits_CL
| where AuditType contains "Policy"
| project TimeGenerated, User, AuditType, EntityName, Details
| order by TimeGenerated desc

Client Events

// Blocked process executions
BeyondTrustPM_ClientEvents_CL
| where EventAction == "process-start-blocked"
| project TimeGenerated, HostHostname, UserName, FileName, FilePath, EventReason
| order by TimeGenerated desc

// Authentication events
BeyondTrustPM_ClientEvents_CL
| where EventCategory contains "authentication"
| project TimeGenerated, HostHostname, UserName, EventAction, EventOutcome
| order by TimeGenerated desc

// High-risk file executions
BeyondTrustPM_ClientEvents_CL
| where EventAction contains "process-start" and EventOutcome == "success"
| where FileName has_any ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| project TimeGenerated, HostHostname, UserName, FileName, FilePath
| order by TimeGenerated desc

📚 Documentation

Comprehensive documentation is available in the docs/ folder:

Quick Links

Deployment Guide - Deploy with configurable hosting plans (Consumption, Flex, Premium)
Sentinel Setup Guide - Post-deployment Sentinel integration
How to Pause Ingestion - Stop or pause data collection
How to Remove Deployment - Clean up resources
Where Do Logs Go - Understanding Application Insights logging
Sentinel Connector FAQ - Common questions

See the Documentation Index for the complete list.

Monitoring and Troubleshooting

Function App Monitoring

Application Insights: The deployment creates an Application Insights instance for monitoring
Function Logs: View execution logs in the Azure portal under Function App > Functions > Monitor
State Management: The connector maintains state in Azure Table Storage for incremental data retrieval

For detailed information on viewing and querying logs, see Where Do Logs Go.

Common Issues

Authentication Failures:
- Verify Client ID and Client Secret are correct
- Ensure OAuth client has proper permissions in BeyondTrust PM Cloud
Rate Limiting:
- If you see rate limit warnings, increase polling intervals
- Monitor Application Insights for rate limit exceptions
No Data Ingestion:
- Check Function App logs for errors
- Verify Log Analytics Workspace ID and Key
- Ensure BeyondTrust PM Cloud has data in the specified time range

Log Levels

Set the log level in Function App settings:

Logging:LogLevel:Default = Information (default)
Options: Critical, Error, Warning, Information, Debug, Trace

Security Considerations

Credentials: All sensitive configuration is stored in Azure Function App settings
HTTPS: All API communications use HTTPS/TLS
Minimal Permissions: OAuth client should have only required API permissions
Network Security: Consider implementing network restrictions if required

Support

For issues related to:

BeyondTrust PM Cloud API: Contact BeyondTrust support
Microsoft Sentinel/Log Analytics: Contact Microsoft support
Data Connector Issues: Review logs and documentation

Cost Considerations

Azure Functions: Consumption plan charges per execution
Log Analytics: Charges based on data ingestion volume
Storage: Minimal cost for state management tables

Estimated monthly costs depend on data volume and polling frequency. Monitor usage through Azure Cost Management.

Version History

v3.0: Initial release with Activity Audits and Client Events support
OAuth 2.0 authentication with automatic token refresh
Rate limiting and state management
Configurable polling intervals
Comprehensive error handling and logging

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Connectors Index