BeyondTrust Privileged Management Cloud for Microsoft Sentinel

Solution: BeyondTrustPMCloud

BeyondTrustPMCloud Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	BeyondTrust
Support Tier	Partner
Support Link	https://www.beyondtrust.com/
Categories	domains
Version	3.0.0
Author	BeyondTrust - mysupport@beyondtrust.com
First Published	2025-10-31
Last Updated	2026-02-27
Solution Folder	BeyondTrustPMCloud
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)

The BeyondTrust PM Cloud solution provides a data connector to ingest activity audit logs and client event logs from BeyondTrust Privilege Management Cloud into Microsoft Sentinel.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor Logs Ingestion API

b. Azure Functions

Data Connectors
Tables Used
Content Items
Additional Documentation

Data Connectors

This solution provides 1 data connector(s):

BeyondTrust PM Cloud

Tables Used

This solution uses 2 table(s):

Table	Used By Connectors	Used By Content
`BeyondTrustPM_ActivityAudits_CL`	BeyondTrust PM Cloud	Workbooks
`BeyondTrustPM_ClientEvents_CL`	BeyondTrust PM Cloud	Workbooks

Content Items

This solution includes 1 content item(s):

Content Type	Count
Workbooks	1

Workbooks

Name	Tables Used
BeyondTrustPMCloud	`BeyondTrustPM_ActivityAudits_CL` `BeyondTrustPM_ClientEvents_CL`

Additional Documentation

📄 Source: BeyondTrustPMCloud/README.md

Solution Overview

The BeyondTrust PM Cloud solution provides comprehensive visibility into privilege management activities and endpoint security events from BeyondTrust Privilege Management Cloud.

Included Components: - Data Connectors: 1 - Workbooks: 1

Connector Attributes

Connector attribute	Description
Azure function app code	https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/BeyondTrustPMCloud/Data%20Connectors
Log Analytics table(s)	BeyondTrustPM_ActivityAudits_CL BeyondTrustPM_ClientEvents_CL
Data collection rules support	Yes (Logs Ingestion API with DCRs)
Supported by	BeyondTrust

Data Tables

The connector automatically creates two custom tables in your Log Analytics workspace during deployment:

BeyondTrustPM_ActivityAudits_CL (~40 columns) - Administrative activities, policy changes, user management, configuration audits
BeyondTrustPM_ClientEvents_CL (~50+ columns) - Endpoint security events in Elastic Common Schema (ECS) format with comprehensive host, user, file, and process context

The data connector retrieves data from two primary API endpoints:

Activity Audits (/v3/ActivityAudits/Details) - Administrative and configuration activities
Client Events (/v3/Events/FromStartDate) - Endpoint security events in ECS format

The connector uses: - Authentication: OAuth 2.0 client credentials flow - Ingestion: Azure Monitor Logs Ingestion API with Data Collection Rules (DCRs) - Rate Limiting: Compliance with BeyondTrust API limits (1000 requests per 100 seconds) - State Management: Azure Table Storage for incremental data retrieval

Query Samples

All Activity Audits

BeyondTrustPM_ActivityAudits_CL
| sort by TimeGenerated desc

All Client Events

BeyondTrustPM_ClientEvents_CL
| sort by TimeGenerated desc

Prerequisites

To integrate with BeyondTrust PM Cloud make sure you have the following:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the Azure Functions documentation for details.
BeyondTrust PM Cloud API credentials: OAuth Client ID and Client Secret with appropriate permissions. Create an API Account in your BeyondTrust PM Cloud instance with OAuth API credentials (Client ID and Client Secret). The API account requires the following permissions:
Audit - Read Only

[Content truncated...]

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.0	31-10-2025	Initial Release