New Third Party Integration Guide - BeyondTrust · 2019. 6. 24. · SailPoint 23 Overview 23 CreatetheConnector 24 CreateaSailPointUserGroup 25 ... installation. • ACPmustbeconfiguredinCyberArk'sPasswordVaultwebinterface(PVWA)

BeyondInsightThird Party Integration Guide

Version 6.3 – April 2017

Revision/Update Information: April 2017Software Version: BeyondInsight 6.3Revision Number: 0

CORPORATE HEADQUARTERS

5090 N. 40th StreetPhoenix, AZ 85018Phone: 1 818-575-4000

COPYRIGHT NOTICECopyright © 2017 BeyondTrust Software, Inc. All rights reserved.The information contained in this document is subject to change without notice.

No part of this document may be photocopied, reproduced or copied or translated in any manner to anotherlanguage without the prior written consent of BeyondTrust Software.

BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental orconsequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any otherlegal theory in connection with the furnishing, performance, or use of this material.

All brand names and product names used in this document are trademarks, registered trademarks, or trade namesof their respective holders. BeyondTrust Software is not associated with any other vendors or products mentionedin this document.

Contents

Contents 3

Introduction 5

Documentation for BeyondInsight 5Contacting Support 5

Telephone 5Privileged Account Management Support 5

Vulnerability Management Support 5

All other Regions: 5Online 5

Overview 6

BeyondTrust Integration Points 6Event Log Forwarding 7SNMP Trap Forwarding 7

FireEye 10

Exabeam 11

Kenna API Connector 12

HP ArcSight 13

LogRhythm Syslog 14

McAfee Syslog 15

NetIQ Sentinel 17

Palo Alto 18

IBM QRadar 20

Splunk 21

Setting up the Connector 21Viewing Events in Splunk 22

SailPoint 23

Overview 23Create the Connector 24Create a SailPoint User Group 25Viewing Permissions in IdentityIQ 26

Configuring a ServiceNow Export Connector 28

Contents

BeyondInsight Third Party Integration 3 © 2017. BeyondTrust Software, Inc.

Example Configurations 28Export Assets 28

Suggested Mappings 28

Export Vulnerabilities 29Suggested Mappings 29

Export Assets and Export Vulnerabilities both checked 29Suggested Asset Mappings 29

Suggested Asset Mappings 30

Creating a Connector 30Creating a Smart Group 31Changing the Processing Frequency 31Importing the BeyondInsight Update Set 32

STIX / TAXII Connector 33

Syslog Connector 34

Third Party Credential Provider 35

Prerequisites 35Managing Credentials in BeyondInsight 38

Configuring a ServiceNow Asset Import Connector 39

Configuring the Connector 39Creating a Smart Group 39Changing the Batch Size Limit 40

BMC Remedy 41

Creating a Connector to your BMC Remedy Server 41Creating a Smart Group 42Exporting the Data 43

Contents


IntroductionThis guide provides instructions for using third party connectors to BeyondInsight.

This section includes a list of documentation for the product and where to get additional product information.

Documentation for BeyondInsightThe complete BeyondInsight documentation set includes the following:

• BeyondInsight Installation Guide

• BeyondInsight User Guide

• BeyondInsight Analytics and Reporting User Guide

• Third Party Integration Guide

If you are working with any of the BeyondInsight modules, refer to the product documentation for additionalinformation about that module.

Contacting SupportFor support, go to our Customer Portal then follow the link to the product you need assistance with.

The Customer Portal contains information regarding contacting Technical Support by telephone and chat, alongwith product downloads, product installers, license management, account, latest product releases, productdocumentation, webcasts and product demos.

Telephone

Privileged Account Management SupportWithin Continental United States: 800.234.9072 Outside Continental United States: 818.575.4040

Vulnerability Management SupportNorth/South America: 866.529.2201 | 949.333.1997

+ enter access code

All other Regions:Standard Support: 949.333.1995

+ enter access code

Platinum Support: 949.333.1996

+ enter access code

Onlinehttp://www.beyondtrust.com/Resources/Support/

Introduction


http://www.beyondtrust.com/Resources/Support/

http://www.beyondtrust.com/Resources/Support/

OverviewThe BeyondInsight management console enables teams to centrally manage organization-wide IT security andcompliance initiatives from a single, web-based console. It provides discovery, prioritization, and remediation ofsecurity risks by delivering what matters the most – context.

BeyondInsight is the centerpiece of the BeyondTrust vision of Context Aware Security Intelligence which helpsorganizations answer the most pressing questions in security – what to fix first, what to fix next and why.

BeyondInsight does this through unmatched security intelligence and analytics for your entire IT landscape.

This document is intended to discuss the complementary technologies that Retina, PB EPP, PBW, PBUL, PBPS, andBeyondInsight offer to an existing infrastructure; with a technology view into escalating critical security events intoany third party solution. It highlights a critical step in the process for user and asset security events to be escalatedthe same way network management and automated help desk solutions perform these functions in a traditionalinformation technology infrastructure.

BeyondTrust Integration Points

Overview


BeyondTrust then has several integration points for access to this data. Below are the most common techniques forthird party integration.

Event Log ForwardingOne of the many functions of BeyondInsight is to duplicate stored events within the Windows Application Log. ForBeyondInsight, this setting can be found in the BeyondInsight Connectors tab, and allows for PowerBroker andRetina events (with user defined filters) to be duplicated in the log so that a log-monitoring tool or log scraper canmonitor for critical events. The high level workflow is illustrated below:

To activate this feature, go to the BeyondInsight Connectors tab and apply the appropriate settings and filters forthe Local Event Log Connector:

SNMP Trap ForwardingBeyondInsight, PowerBroker EPP, and the Retina Network Security Scanner can forward SNMP traps using versions1, 2, or 3. BeyondInsight, Retina, and specific PowerBroker solutions are also capable of forwarding events througha Syslog Dameon.

With this forwarding function, it is feasible to integrate critical event information directly into a NMS, SIM, NAC, orother log consolidation or event management system. BeyondTrust provides a standard SNMP MIB (EEYE-RETINA_EVENT-MIB) for decoding traps at the destination and is available in the “C:\Program Files\BeyondTrust\Retina5\Help\Snmp Directory”. This MIB is valid for Retina, PowerBroker, and BeyondInsight.

In BeyondInsight, the configuration for SNMP Trap Forwarding and Syslog Event Forwarding is found in theBeyondInsight Connector tab. Both protocols work for all data aggregated by PowerBroker or Retina withinBeyondInsight. Please note: PowerBroker UNIX Linux and PowerBroker EPP have limited capabilities directlywithin the solution. Below is a screenshot for each of these connectors:

Overview


Overview


Overview


FireEyeThe FireEye Threat Analytics Platform (TAP) generates events securely using the cloud connector. Create theFireEye connector to send BeyondInsight events to the FireEye TAP server.

You need a FireEye Comm Broker Sender installed and available to BeyondInsight. Refer to your FireEyedocumentation or vendor to ensure the proper installation of the Comm Broker Sender.

To configure a FireEye connector:

1. Log on to BeyondInsight management console, and select the Configure tab.2. Select Connectors.3. Click +, and then select FireEye TAP Cloud Collector.

4. Provide a connector name.5. Select the Enable Event Forwarding check box.6. Provide the required details for your FireEye Comm Broker Sender, including: protocol, host name, and port.7. Select the events that you want to forward.8. Click Update.

FireEye


ExabeamCreate an Exabeam connector to send all selected event data in CEF format to the Exabeam server.

To configure:

1. Log on to BeyondInsight management console, and select the Configure tab.2. Select Connectors.3. Click +, and then select Exabeam Event Forwarding.4. Enter a connector name.5. Select the Enable Event Forwarding check box.6. Select the protocol: TCP, TCP-SSL, UDP.7. Enter the host name and port for the Exabeam server.8. Select the events that you want to forward.

9. Click Verify to ensure connectivity to the server is successful.10. Click Update.

Exabeam


Kenna API ConnectorCreate a connector to forward BeyondInsight events to Kenna Security using Kenna's REST API.

You must install BeyondInsight connector in your Kenna instance. Note the connector ID from the URL.

To create a Kenna connector:

1. Log on to BeyondInsight management console, and select the Configure tab.2. Select Connectors.3. Click +, and then select Kenna API Connector.4. Enter a connector name.5. Select the Enable Event Forwarding check box.6. In the Schedule Options, enter a processing interval of 300 seconds (default) or longer. Generating reports

might be process intensive depending on your environment. Enter a longer interval that suits your reportingrequirements.

7. Select an endpoint:– Kenna API Connector – The Kenna API server details.

– Host Name - The URL for your Kenna instance. For example, https://<yourinstance>/kennasecurity.com.

– Kenna API Key - The Kenna API key for your Kenna instance Settings -> Applications.

– Kenna Connector ID - The Connector ID for the 'BeyondInsight scanner' added to your Kenna instance.The ID can be found in the URL of the connector details page. For example, https://<yourinstance>/kennasecurity.com/connectors/12345 where '12345' is the connector ID.

8. Click Send Test Event to ensure that events are sent to the Kenna endpoint.9. Click Verify to ensure connectivity to the server is successful.10. Click Update.

Kenna API Connector


HP ArcSightHP ArcSight is a security management application that combines event correlation and security analytics to identifyand prioritize threats.

In BeyondInsight 6.0 and later, a dedicated ArcSight connector using CEF format is available. Use the connectorover Syslog.

To configure:

1. Log on to BeyondInsight management console, and select the Configure tab.2. Select Connectors.3. Click +, and then select HP ArcSight Event Forwarding.4. Select the Enable Event Forwarding check box.

5. Select the protocol: TCP, TCP-SSL, UDP.6. Enter the host name and port for the ArcSight server.7. Select the events that you want to forward.8. Click Update.

HP ArcSight


LogRhythm SyslogCreate a LogRhythm connector to forward BeyondInsight events to the LogRhythm server.

1. Log on to BeyondInsight management console, and select the Configure tab.2. Select Connectors.3. Click +, and then select LogRhythm Syslog.4. Provide a connector name.5. Select the Enable Event Forwarding check box.

6. Select an optional syslog facility from the list.7. Provide the required details for the LogRhythm server, including: protocol, host name, and port.8. Select the events that you want to forward.9. Click Update.

LogRhythm Syslog


McAfee SyslogMcAfee Enterprise Security Manager (ESM) is the foundation of the McAfee security information and eventmanagement solution (SIEM).

Create a connector to forward all data types to McAfee Enterprise Security Manager.

You must configure your McAfee SIEM Solution to receive Syslog Data Sources. Refer to the McAfeedocumentation "Adding Syslog Data Sources to the McAfee SIEM Solution"https://community.mcafee.com/docs/DOC-6225.

To configure:

1. Log on to BeyondInsight management console, and select the Configure tab.2. Select Connectors.3. Click +, and then selectMcAfee ESM Syslog.4. Provide a connector name.5. Select the Enable Event Forwarding check box.6. Select an output format: NewLine Delimited (Default) or Tab Delimited.7. Select an optional syslog facility from the list.8. Provide the required details for the McAfee Syslog data source, including: protocol, host name, and port.9. Select the events that you want to forward.

10. Click Update.

McAfee Syslog


https://community.mcafee.com/docs/DOC-6225

McAfee Syslog


NetIQ SentinelCreate a NetIQ connector to forward BeyondInsight events to the NetIQ Sentinel server in the LEEF format.

1. Log on to the management console, and select the Configure tab.2. Select Connectors.3. Click +, and then selectNetIQ Sentinel Event Forwarding.4. Provide a connector name.5. Select the Enable Event Forwarding check box.6. Select an optional syslog facility from the list.7. Provide the required details for the Sentinel server, including: protocol, host name, and port.8. Select the events that you want to forward.

9. Click Verify to ensure connectivity to the server is successful.10. Click Update.

NetIQ Sentinel


Palo AltoBefore you create the Palo Alto connector, create an address group that includes the IP addresses.

To configure a Palo Alto connector:

1. Log on to the BeyondInsightmanagement console, and select the Configure tab.2. Select Connectors.3. Click +, and then select Palo Alto Connector.

4. Provide a connector name and description.5. Enter the URL address for the Palo Alto service, including the credential to access the site. Click Test

Connection to ensure the BeyondInsight server can reach the Palo Alto server.6. By default, a Palo Alto Workgroup is selected. The workgroup will be created when the connector is created.

Palo Alto


7. Select the address group that you created from the list.8. Select the Active check box to turn on synchronization.9. Select scheduling settings for when the synchronization runs.10. Select the Run immediate check box to start the synchronization after you click Update.The first synchronization can take time. The first run includes importing the vulnerability definitions.

Palo Alto


IBM QRadarIBM QRadar is a security intelligence platform that provides a unified architecture for integrating securityinformation and event management solutions.

Create a QRadar connector to send selected event data in QRadar LEEF format.

To configure a QRadar connector:

1. Log on to the management console, and select the Configure tab.2. Select Connectors.3. Click +, and then select IBM QRadar.4. Provide a connector name.5. Select the Enable Event Forwarding check box.

6. Provide the required details for the QRadar server, including: protocol, host name, and port.7. Select the events that you want to forward.8. Click Update.

IBM QRadar


SplunkSIEM products, like Splunk HTTP Event Collector, correlate information from an extensive list of security andoperational solutions to gain visibility and context within an IT environment. This procedure documents how tointegrate BeyondInsight and Splunk to help improve visibility and the decision-making processes with vulnerabilitydata.

Events from BeyondTrust's privilege access and vulnerability management tools can be forwarded to Splunk,including events from PowerBroker for Windows, PowerBroker for Unix & Linux, Retina, PowerBroker for Mac.

Setting up the ConnectorRefer to Splunk product documentation for more details on the parameters set in the connector.

As a prerequisite, you must configure an HTTP Event Collector data source in Splunk and note the API key for theconfiguration settings in the following procedure.

To configure the connection to your Splunk host:

1. Log on to BeyondInsight management console, and select the Configure tab.2. Select Connectors.3. Click +, and then select Splunk HTTP EC.

4. Enter a connector name. Required. There are no requirements on naming convention.5. Select the Enable Event Forwarding check box.6. Enter the following details for the Splunk server:

– Host name - Required. The host name or IP address for your Splunk server.

– Port - Port is required. The default is 8088.

Splunk


– Splunk API key - Required.

– Splunk Index - The name of the data repository on the Splunk server.

– Splunk Source Type - Data structure identifier for an event. The value is assigned to the event datacollected.

– Splunk Source - Source value to assign to the event data. For example, set this key to the name of theapplication you are gathering events from.

– Splunk Host - The host name for the server that you are sending events to.

7. Select the events that you want to forward.8. Click Verify.9. Click Update.

Viewing Events in SplunkAfter the data is forwarded from BeyondInsight to Splunk, you can take advantage of the view, search, and reportfeatures in Splunk.

The following example shows a search on OS set at "Windows, Microsoft,Windows, 7x64, Service Pack 1"

Output all the events that match on OS.

Splunk


SailPointIdentityIQ is an identity and access management solution from SailPoint.

User accounts and roles created in IdentityIQ can be imported and managed in BeyondInsight.

OverviewThe following illustrations show the use cases for SailPoint and BeyondInsight.

The first use case imports SailPoint user groups (based on SailPoint roles) in to BeyondInsight.

The second use case, sends and synchronizes permissions in BeyondInsight to IdentityIQ.

SailPoint


Create the Connector1. Log on to BeyondInsight management console, and select the Configure tab.2. Select Connectors.3. Click +, and then select SailPoint Integration.4. Select the Enable SailPoint Integration check box, and then provide the following information:

– Host - The IP address or host name of the SailPoint instance.

– Port - The port to use to connect to the SailPoint MySQL instance.

– Database - Select a database type from the list: MySQL, Oracle, DB2, Microsoft SQL Server.

Note: If you are using DB2, you must install a driver package on the BeyondInsight server. The name ofthe package: ibm_data_server_driver_package_win64_v11.1. You can download the packagefrom the following web site:http://www-01.ibm.com/support/docview.wss?uid=swg21385217. Set the path in the Path toDB2 DLL box as shown in the screen capture.

– Username / Password - The database credential. The user needs Read/Write access to the STI databaseand Read access to the IdentityIQ database.

SailPoint


http://www-01.ibm.com/support/docview.wss?uid=swg21385217

5. Click Update.

After you create the connector, you can proceed with additional configuration.

Create a SailPoint User Group1. Log on to BeyondInsight management console, and select the Configure tab.2. Select Accounts.3. Click +, and then select SailPoint Group.

SailPoint


4. Select a SailPoint role from the list that you want to import.

5. Assign permissions for this BeyondInsight group.6. Click Create.The user accounts will be imported from SailPoint. You can then log on as these users in BeyondInsight andPasswordSafe using their Active Directory credentials.

Viewing Permissions in IdentityIQPeriodically the permissions and users will be synchronized with SailPoint.

You can view BeyondInsight and PasswordSafe permissions in SailPoint by performing the following:

1. Log on to IdentityIQ.2. You can view the permissions in one of two places. The first is on the BeyondInsight application:3. Click the Define tab, and then select Applications.4. Select BeyondInsight from the list.5. Go to the Accounts tab.You will see all the users associated with BeyondInsight. Click on a user to view BeyondInsight attributes.

SailPoint


The other way to view this data is by finding the user you are interested in:

1. Under the Define tab, select Identities.2. Enter the user name in the filter criteria box and search.3. Click the user name to view details.4. Navigate to the Application Accounts tab.5. Look for the BeyondInsight application and click the arrow next to it.

You will see the BeyondInsight specific attributes for this user.

Now that you can access the user specific data, clicking on any of the roles the user is associated with underBeyondInsights’ attributes will open a pop-up displaying more information.

Navigating to the Object properties tab will display its permissions query which will display all of BeyondInsight’sPAM permission data.

SailPoint


Configuring a ServiceNow Export ConnectorYou can export asset and vulnerability data from BeyondInsight to your ServiceNow server.

To configure a ServiceNow connector, you must:

• Create a connection to your ServiceNow instance.

• Create a Smart Group. The parameters configured in the Smart Group include the assets (and data) that will beexported to ServiceNow. After the Smart Rule is created, the data in the rule will be refreshed and exportedevery hour (if necessary, based on the Smart Rule Action expiration period).

Example Configurations

Export AssetsExport Assets

• AssetID must be mapped to a ServiceNow field

• Mapping the BeyondInsight VulnerabilityID field on the asset web service configuration will result in an assetrecord being created in Service Now for each vulnerability that it is associated with that asset.

• The ServiceNow field “name” must be mapped if Assets are being exported

BeyondInsight Asset fields available for export:

AssetID AssetName AssetRisk

DateAdded DnsName IpAddress

OperatingSystem SmartGroupName

VulnerabilityID Workgroup

Suggested MappingsServiceNow Field Data Type Asset Field Literal Value

correlation_id or customcorrelation_id field

String AssetID

correlation_display or customcorrelation_display field

String (Literal Value) BeyondInsight Asset

name String AssetName

ip_address String IpAddress

Os String OperatingSystem

Mapping of other fields as determined by user requirements

Configuring a ServiceNow Export Connector


Export Vulnerabilities• Only vulnerabilities in the selected audit group will be exported. All vulnerabilities for all assets will be

exported if no audit group is selected.

• The ServiceNow field “correlation_id” must be mapped if Vulnerabilities are being exported. BeyondInsightVulnerability fields available for export:

BeyondInsight Vulnerability fields available for export:

AssetID CCEIds CVEIds

Category FirstOccurred LastOccurred

Severity VulnerabilityID VulnerabilityName

VulnerabilityDescription

Suggested MappingsServiceNow Field Data Type Asset Field Literal Value


String VulnerabilityID


String (Literal Value) BeyondInsight Vulnerability

short_description String VulnerabilityName

Work_notes String VulnerabilityDescription

Impaxt String Severity


Export Assets and Export Vulnerabilities both checkedThe following connector configuration will send for each Smart Rule the Asset once, and the list of vulnerabilitiesone by one for each Asset.

The VulnerabilityID must not be present on the Asset portion of the connector.

Suggested Asset MappingsServiceNow Field Data Type Asset Field Literal Value


String AssetID


String (Literal Value) BeyondInsight Asset

name String AssetName



ip_address String IpAddress

Os String OperatingSystem


Suggested Asset MappingsServiceNow Field Data Type Asset Field Literal Value


String AssetID


String (Literal Value) BeyondInsight Vulnerability

short_description String VulnerabilityName

Work_notes String VulnerabilityDescription

Impact String Severity

Determined by user String VulnerabilityID


Creating a ConnectorTo create a connector:

1. Click the Configure tab, then click the Connectors tab.2. Click +, then click ServiceNow Connector.3. Enter a connector name, and a ServiceNow user name and password. The connector name can be any name.

The credentials for the ServiceNow system must provide access to the web service and be able to createrequests.

The Active check box is selected by default. Data is only exported when the check box is selected.

4. If you are using an older version of ServiceNow and you are using update sets, select the Using Update Setcheck box.

5. Select the check boxes depending on the data that you want to export: Export Assets, Export Vulnerabilities.You can select both.

6. For the export options, enter the following information:– Web Service URL - Enter the URL to the ServiceNow instance.

– Extended Field Mappings

– Enter the field mappings. See Example Configurations.

7. Click Test to ensure the connection to the ServiceNow instance is working. (Optional).8. Click Update to save the settings.



Creating a Smart GroupAssets and vulnerabilities exported are defined in the Smart Group.

After the Smart Group is created, the data in the rule is processed and exported every hour. You can change theprocessing time in the RemManagerSvc.exe.config file. See Changing the Processing Frequency.

To configure a Smart Group:

1. Configure the Smart Group. Refer to the BeyondInsight User Guide, section Creating a Smart Rule.2. In the Perform Actions area, select Export Data.3. Select the name of the connector.4. Select an audit group from the list.

Only vulnerabilities in the selected audit group will be exported. All vulnerabilities for all assets will beexported if no audit group is selected.

5. Enter the expiration period, in days.Assets and vulnerabilities (depending on what is defined in the collector details) are only exported once in thedefined expiration period.

However, an item (asset or vulnerability) might be exported more than once. This might occur if, for anyreason, the item is not included in the Smart Group but then is included again later.

After the expiration period passes, the item is exported again if it remains in the Smart Group.

6. Click Save.

Changing the Processing FrequencyYou can set the processing frequency value in the RemManagerSvc.exe.config file located in the BeyondInsightinstallation directory. Change the referenceTime value.<Process name="DataExportProcessor" assembly="" order="13" active="true"accessType="internal"><Handlers>

<Handler name="DataExportHandler" handlerType="1" runFrequency="1"frequencyType="h" referenceTime="1:00" namespace="" order="0"active="true"></Handler>

</Handlers></Process>



Importing the BeyondInsight Update SetThe update set provides the BeyondInsight modules and menus in your ServiceNow instance. The BeyondInsightupdate set file that you must import to your ServiceNow instance is located in the following installation directory:

%\Program Files(x86)\eEye Digital Security\Retina CS\ServiceNow

For more information, go to ServiceNow's web site:

http://wiki.servicenow.com/index.php?title=Transferring_Update_Sets



http://wiki.servicenow.com/index.php?title=Transferring_Update_Sets

STIX / TAXII ConnectorYou can create a connector in BeyondInsight to forward and receive privilege and vulnerability events that adhereto the STIX and TAXII industry standard specifications.

The BeyondInsight STIX/TAXII connector submits a STIX Incident Report to a TAXII Inbox service. You must have anappropriate Inbox Service configured on your TAXII services.

To configure:

1. Log on to BeyondInsight management console, and select the Configure tab.2. Select Connectors.3. Click +, and then select STIX/TAXII Connector.4. Enter a connector name.5. Select the Enable Event Forwarding check box.6. Set the processing interval. The default is 300 seconds (5 minutes).7. Select the endpoint TAXII Client from the menu, and then enter the following information for the TAXII server:

– TAXII version – Select the version of TAXII on your server.

– Host Name – The URL to your TAXII Inbox service. For example,https://taxii.mitre.org/services/inbox/default/

– Authentication – Select an authentication type: Basic or None.

– Username/Password – If you select Basic authentication, enter the user name and password to access theTAXII Inbox service.

8. Click Send Test Event to ensure that events are sent to the Inbox service.9. Click Verify to ensure connectivity to the server is successful.10. Click Update.

STIX / TAXII Connector


Syslog ConnectorCreate a syslog connector to forward BeyondInsight events to the syslog server.

1. Log on to BeyondInsight management console, and select the Configure tab.2. Select Connectors.3. Click +, and then select LogRhythm Syslog.4. Provide a connector name.5. Select the Enable Event Forwarding check box.6. Select an output format: NewLine Delimited (Default) or Tab Delimited.

7. Provide the required details for the syslog server, including: protocol, host name, and port.8. Select the events that you want to forward.9. Click Update.

Syslog Connector


Third Party Credential ProviderYou can create a Third Party Credential Provider connector that can be configured to support credential providersthat accept SOAP requests to a web service. You can then use this credential to run a Retina scan.

After you create the connector:

• You can edit the connector from the Credential Management dialog box (accessible when selecting credentialsfor a scan).

• You can configure a Retina scan using the credential provided in the connector.

Note: You must be logged on as a BeyondInsight administrator to configure a third party credential provider.

PrerequisitesThe example provided here shows how to create a connector to CyberArk®'s Central Credential Provider (CCP), aSOAP API.

• You need a CCP installation including the Application Credential Provider (ACP) that is available with a CCPinstallation.

• ACP must be configured in CyberArk's Password Vault web interface (PVWA).

• The application and the credential provider user need access to the account used for scanning with Retina.

For more information, refer to the CyberArk product documentation (Central Credential Provider ImplementationGuide, Privileged Account Security Implementation Guide).

Note: The ACP by default is set to cache passwords for 3 minutes. This might cause the scan account’s passwordnot being up to date when requested from Retina. The CacheLevel parameter can either be configuredduring ACP setup , or in the AppProvider configuration found in the CyberArkApplicationPasswordProvider\Env directory.

To create a Third Party Credential Provider connector:

1. Log on to BeyondInsight management console, and select the Configure tab.2. Select Connectors.3. Click +, and then select Third Party Credential Provider.4. Enter the following details:

– Third Party Name – The name of the provider.

– Access Key – The key the user is required to enter when selecting credentials for a scan. The access keyon the connector can be changed—all credentials created by the connector will reflect the change in theiraccess key.

– Credential Type – The type of credential the connector will be creating. The credential type on connectorcan be changed—all credentials created by the connector will reflect the change in the credential type.

– Authentication Type – The web request authentication type.

– URL – The URL for the third party provider's web server.

– Namespace – The namespace of the request that the third party is expecting.

Third Party Credential Provider


– SOAP Action – The request action that the third party is expecting for password requests.

– SOAP Action Response – The request response sent from the third party.

– Request Fields – The path field is a path to the xml element where you will be storing data to send to theserver. Text separated by a slash (/) indicates XML element nesting.

Set the following fields:

Path Data TypepasswordWSRequest/AppID StringpasswordWSRequest/Safe StringpasswordWSRequest/Folder StringpasswordWSRequest/Object StringpasswordWSRequest/Reason String

– Outbound Data (CSV) – The data inserted into the "Request Fields". It is a CSV format—use a comma toseparate values. Separate different credentials with a newline. The number of values defined must matchwith the number of request fields.

Example

AppID Safe Folder Object ReasonAIMWebService,ScanAccounts,root,Operating System-WinServerLocal-Server03-scanacct,VulnerabilityScan

Note: The object needs to be the object name not the account name.



– Response Fields – The response that comes back. The path is an XPath (already beginning with a doubleslash, //) that must locate an XML element that contains the data that corresponds to the Field Name. TheDomain and Description fields are optional.

Path Data Type Field Namesns:GetPasswordResult/ns:UserName String User namens:GetPasswordResult/ns:Content String Passwordns:key[text()=’Description’]/following::ns:value[1] String Domainns:key[text()=’Domain’]/following::ns:value[1] String Description

The connector automatically generates a description if one is not available. The format is: 'third partyconnector name - user name [guid]'. The guid value is only displayed if the user name is not unique.

5. Click Test to verify connectivity to the server and ensure syntax is correct.6. Click Update.



Managing Credentials in BeyondInsightAfter you create the Third Party Credential Provider connector, you can manage the credentials in BeyondInsight.

For example, when you are setting up a scan and selecting the credentials, the credentials can be accessed on theCredential Management dialog box:



Configuring a ServiceNow Asset Import ConnectorYou can create a connector to ServiceNow that imports the asset information to the BeyondInsight database.

To configure the ServiceNow asset import connector, you must:

• Create a connection to your ServiceNow instance.

• Create a Smart Group. The parameters configured in the Smart Group include the assets (host and IP address)that will be imported from ServiceNow.

Configuring the ConnectorAfter the connector is tested and saved, each scheduled run retrieves ServiceNow data from the defined table thathas an entry in one of the defined fields (valid IP address or DNS defined).

Note that there might be a large number of records to import from ServiceNow. You can change the default valuein the RemManagerSvc.ece.config file. See Changing the Batch Size Limit.

After the data is retrieved, the data is stored in the BeyondInsight database.

To create the connector:

1. Click the Configure tab, then click the Connectors tab.2. Click +, then click ServiceNow Asset Importer.3. Enter a connector name.

The connector name can be any name.

4. Enter a ServiceNow user name and password.The credentials for the ServiceNow system must provide access to the web service and be able to createrequests.

5. Enter the ServiceNow URL.6. Enter the information for the ServiceNow tables that you want to import to BeyondInsight. The default values

are IP address and FQDN.The Active check box is selected by default. Asset data is only imported from ServiceNow when the check boxis selected.

7. Set the scheduling options to synchronize ServiceNow with the BeyondInsight database.8. Click Test to ensure the connection to the ServiceNow instance is working. (Optional).9. Click Update to save the settings.

Creating a Smart GroupAfter the data is in the BeyondInsight database, you can create a Smart Group based on the ServiceNow assets.When creating the Smart Group, ensure that you select the Asset Selection criteria, ServiceNow Assets, as shown:

Configuring a ServiceNow Asset Import Connector


When the Smart Group processes, the DNS name is always used when it exists. The IP address is used to determineassets in the Smart Group when the check box is selected.

Changing the Batch Size LimitDepending on the environment, there might be a large number of records to import.

You can set the Import Batch Limit value in the RemManagerSvc.exe.config file located in the BeyondInsightinstallation directory. The default limit set in the file is 5,000. You cannot enter a value greater than 10,000.<Process name="servicenowimportshandler" assembly="" order="17" active="true"

accessType="internal"><Handlers>

<Handler name="ServiceNowImportsHandler" handlerType="1"runFrequency="3"frequencyType="m" referenceTime="1:00" namespace=""order="0" active="true" importBatchLimit="5000"></Handler>

</Handlers></Process>

Configuring a ServiceNow Asset Import Connector


BMC RemedyYou can export asset and vulnerability data from BeyondInsight to your BMC Remedy server.

To configure BeyondInsight, you must:

• Create a connector to Remedy.

• Create a Smart Group. The parameters configured in the Smart Group include the assets (and data) that will beexported to the Remedy system.

Your Remedy system must already have forms created to accept asset and vulnerability information.

Creating a Connector to your BMC Remedy ServerSettings from your Remedy WSDL file are required to create the connector.

Sample data from aWSDL file:

Note: Remedy web service endpoints expect a sortable date format. For example, 2009-06-15T13:45:30.

However, you can override the default format in the registry with a valid .NET date format string:

HKEY_LOCAL_MACHINE\SOFTWARE\eEye\RetinaCS\RemedyExportDateFormatString

View examples of standard date format strings here: http://msdn.microsoft.com/en-us/library/az4se3k1.aspx

To create a connector:

1. Click the Configure tab, then click the Connectors tab.2. Click +, then click BMC Remedy Connector.3. Enter a connector name, and a Remedy user name and password.

The connector name can be any name.

The credentials for the Remedy system must provide access to the web service and be able to create requests.

The Active check box is selected by default. Data is only exported when the check box is selected.

4. Select the check boxes depending on the data that you want to export: Export Assets, Export Vulnerabilities.You can select both.

5. For the export options, enter the following information:– Web Service URL - defines the location where data will be exported.

BMC Remedy


http://msdn.microsoft.com/en-us/library/az4se3k1.aspx

http://msdn.microsoft.com/en-us/library/az4se3k1.aspx

– Target Namespace - Enter the target namespace from the WSDL file.

– SOAP Action - Enter the action as defined in the WSDL file.

– Field Mappings - Enter the fields that you want to include in the export data.

The order of the fields must match the order of the fields in the WSDL file. Use the arrows to change theorder.

6. After you provide the information, click Test to ensure a connection is established to your Remedy system.Note that the test creates a record in the Remedy system.

7. Click Update.

Creating a Smart GroupAssets and vulnerabilities exported are defined in the Smart Group.

To configure the Remedy Smart Group:

1. Configure the Smart Group as usual. See Creating a Smart Rule.2. In the Perform Actions area, select Export Data.3. Select the name of the Remedy connector.4. Select an audit group from the list.

Only vulnerabilities in the selected audit group will be exported. All vulnerabilities for all assets will beexported if no audit group is selected.

BMC Remedy


5. Enter the expiration period, in days.Assets and vulnerabilities (depending on what is defined in the collector details) are only exported once in thedefined expiration period.

However, an item (asset or vulnerability) might be exported more than once. This might occur if, for anyreason, the item is not included in the Smart Group but then is included again later.

After the expiration period passes, the item is exported again if it remains in the Smart Group.

6. Click Save.

Exporting the DataAfter the Smart Group is created, the data is set to be collected and exported every hour on the hour.

You can change the default export time in the RemManagerSvc.exe.config file located in the BeyondInsight installdirectory.

View export results in your Remedy system.

Export results or alerts on progress are not shown in BeyondInsight.

To stop exporting data, clear the Active check box on the Remedy Connector Details page.

BMC Remedy

Documents

New Third Party Integration Guide - BeyondTrust · 2019. 6. 24. · SailPoint 23 Overview 23 CreatetheConnector 24 CreateaSailPointUserGroup 25 ... installation. • ACPmustbeconfiguredinCyberArk'sPasswordVaultwebinterface(PVWA)