Description
BeyondTrust Identity Security Insights is an identity-threat and exposure analytics product: it surfaces detections and recommendations across identity-related risk (accounts, identities, tenant context, and related entities).
The Elastic integration should make Insights detections and recommendations first-class in Elastic: searchable, alertable, and easy to correlate with broader identity, endpoint, and cloud telemetry, whether data lands via BeyondTrust’s native Elastic forwarding or a customer-controlled webhook path.
Lab access available upon request.
Architecture
Vendor-native Elastic path (documented today): Identity Security Insights can push to Elastic using Elastic Cloud ID and an API key configured under Menu → Integrations → Elastic (see BeyondTrust docs). Forwarded documents are oriented around ECS; vendor documentation cites ecs.version 8.7.0 and fields such as message, tags, labels (e.g. current status), event.* (id, url, reason, severity, code), rule.* (id, description, version), and impacted_entities entries (entity id/type, tenant id, name, description). The Elastic package README and field reference should align with this mapping where it matches customer-indexed data, and call out any ECS version drift or indexing details.
Webhook path (generic HTTP): Insights supports webhooks with a JSON template and substitution variables (e.g. %%incidentId%%, %%tenantId%%, %%incidentType%%, %%severity%%, %%definitionId%%, %%definitionSummary%%, %%source%%, %%location%%, %%entityType%%, %%entityName%%, %%timestamp%%, %%link%%), plus optional Basic or Bearer auth and custom headers. For customers not using vendor-native Elastic push or for multi-destination designs the integration can define a supported path with an ingest pipeline that normalizes webhook payloads to the same ECS-oriented schema as the native path where possible.
References
Description
BeyondTrust Identity Security Insights is an identity-threat and exposure analytics product: it surfaces detections and recommendations across identity-related risk (accounts, identities, tenant context, and related entities).
The Elastic integration should make Insights detections and recommendations first-class in Elastic: searchable, alertable, and easy to correlate with broader identity, endpoint, and cloud telemetry, whether data lands via BeyondTrust’s native Elastic forwarding or a customer-controlled webhook path.
Lab access available upon request.
Architecture
Vendor-native Elastic path (documented today): Identity Security Insights can push to Elastic using Elastic Cloud ID and an API key configured under Menu → Integrations → Elastic (see BeyondTrust docs). Forwarded documents are oriented around ECS; vendor documentation cites
ecs.version8.7.0and fields such asmessage,tags,labels(e.g. current status),event.*(id, url, reason, severity, code),rule.*(id, description, version), andimpacted_entitiesentries (entity id/type, tenant id, name, description). The Elastic package README and field reference should align with this mapping where it matches customer-indexed data, and call out any ECS version drift or indexing details.Webhook path (generic HTTP): Insights supports webhooks with a JSON template and substitution variables (e.g.
%%incidentId%%,%%tenantId%%,%%incidentType%%,%%severity%%,%%definitionId%%,%%definitionSummary%%,%%source%%,%%location%%,%%entityType%%,%%entityName%%,%%timestamp%%,%%link%%), plus optional Basic or Bearer auth and custom headers. For customers not using vendor-native Elastic push or for multi-destination designs the integration can define a supported path with an ingest pipeline that normalizes webhook payloads to the same ECS-oriented schema as the native path where possible.References