Draft Guide. Splunk App for BeyondTrust Password Safe and Password Safe Cloud 1.0
The Splunk App for BeyondTrust Password Safe allows customers to visualize and interpret the large number of events forwarded to Splunk by BeyondTrust. It consists of a sample of relevant reports in various formats, grouped within a single Dashboard. The main goal behind this Dashboard is to allow customers to more rapidly benefit from the integration between Password Safe and Splunk by leveraging working reports that can be used as is or as templates for custom reports.
Prerequisites:
Configure Password Safe to forward events to Splunk by following the BeyondInsight documentation:
https://www.beyondtrust.com/docs/beyondinsight-password-safe/documents/bi/integrations/bi-ps-third-party-integration.pdf
In the BeyondInsight and Password Safe third party integration guide, search for the section called Configure Splunk Event Forwarder.
You will want to validate that events from Password Safe and/or Password Safe Cloud are received via Data Inputs by Splunk. Also, adjustments may be required to align with expected values from Reports for source, sourcetype and index.
Each report in the Dashboard filter data like this: (source=password_safe OR sourcetype=beyondtrust) index=idx_beyondtrust
You can create a reserved Data Input for Password Safe in Splunk and assign desired values for the above attributes.
Next, you can import the App either from Splunkbase or file. Notifications will be received when Updates beyond version 1.0 are available.
You can click on Apps, then Manage Apps to Browse Splunkbase and search for the Password Safe App.
If reports don’t show any data, this probably means that there is a mismatch with source or sourcetype and index. If Data Inputs or the event forwarder (Password Safe) cannot be configured for the values expected by the reports and associated queries, an alternative is to edit each report query to resolve mismatches. Each report query can also be tested with Splunk Search App.
Small fix for css file location requested by Splunk, moved from /static to /appserver/static
small fix for Number of Successful Logins report
Small fix in report: Number of Successful Logins
also moved css file from /static to /app to /appserver/static to eliminate App Inspect compatibility issue.
Modified version info to align with AppInspect changes
BeyondTrust Splunk App for Password Safe and Password Safe Cloud
Version 1.0.0
June 2021
This Application includes Dashboards that are pre-configured for Password Safe
Requirements:
1- Password Safe/Cloud Connector for Splunk.
2- Corresponding Data Input(e.g. syslog tcp/514 or https/json)
3- Events in Splunk from Password Safe/Cloud
You can set either set source=password_safe or sourcetype=beyondtrust at the Password Safe Connector level, or at the Data Input level.
Each report in the Dashboard filter data like this: (source=password_safe OR sourcetype=beyondtrust) index=idx_beyondtrust
It is possible to quickly edit each report to replace with desired source, sourcetype, or index.
For any question or feedback, please contact Integrations@beyondtrust.com
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.