[New Integration] BeyondTrust Identity Security Insights

[cpascale43]

Description

BeyondTrust Identity Security Insights is an identity-threat and exposure analytics product: it surfaces detections and recommendations across identity-related risk (accounts, identities, tenant context, and related entities).

The Elastic integration should make Insights detections and recommendations first-class in Elastic: searchable, alertable, and easy to correlate with broader identity, endpoint, and cloud telemetry, whether data lands via BeyondTrust’s native Elastic forwarding or a customer-controlled webhook path.

Lab access available upon request.

Architecture

Vendor-native Elastic path (documented today): Identity Security Insights can push to Elastic using Elastic Cloud ID and an API key configured under Menu → Integrations → Elastic (see BeyondTrust docs). Forwarded documents are oriented around ECS; vendor documentation cites ecs.version 8.7.0 and fields such as message, tags, labels (e.g. current status), event.* (id, url, reason, severity, code), rule.* (id, description, version), and impacted_entities entries (entity id/type, tenant id, name, description). The Elastic package README and field reference should align with this mapping where it matches customer-indexed data, and call out any ECS version drift or indexing details.

Webhook path (generic HTTP): Insights supports webhooks with a JSON template and substitution variables (e.g. %%incidentId%%, %%tenantId%%, %%incidentType%%, %%severity%%, %%definitionId%%, %%definitionSummary%%, %%source%%, %%location%%, %%entityType%%, %%entityName%%, %%timestamp%%, %%link%%), plus optional Basic or Bearer auth and custom headers. For customers not using vendor-native Elastic push or for multi-destination designs the integration can define a supported path with an ingest pipeline that normalizes webhook payloads to the same ECS-oriented schema as the native path where possible.

References

• Elastic Security Insights: Cloud ID / API key setup, ECS-oriented field mapping table
• Webhooks Insights: templates, variables, auth, manual trigger from Take Action
• BeyondTrust integrations Insights: Integrations hub (SIEM and automation)
• Detections Insights: product context for detection lifecycle

[github-actions]

This looks more like an extension request than a net-new integration: the repo already contains two BeyondTrust integrations, so the first decision should be whether Identity Security Insights fits one of those packages or truly requires a new package.

Recommendation

Start by scoping this as an enhancement to packages/beyondinsight_password_safe unless the requested product/API surface is distinct enough to justify a separate package.

If it is distinct, follow the standard new-package workflow (elastic-package create package + elastic-package create data-stream) and reuse the BeyondTrust/CEL patterns already in-repo.

Findings

• Existing BeyondTrust integrations already present:
  • packages/beyondinsight_password_safe/manifest.yml:2-4
  • packages/beyondtrust_pra/manifest.yml:1-4
• Existing BeyondInsight package already targets IAM/security use cases:
  • packages/beyondinsight_password_safe/manifest.yml:9-14
• BeyondInsight package docs confirm REST API collection model and multiple datasets:
  • packages/beyondinsight_password_safe/docs/README.md:16-28
  • packages/beyondinsight_password_safe/docs/README.md:35-48
• Initial release reference for this package exists (helps dedupe/history checks):
  • packages/beyondinsight_password_safe/changelog.yml:129-133 (PR #11710)
• Repo guidance for creating a new package/datastream is explicit:
  • docs/extend/build-create-package.md:8-14
  • docs/extend/build-create-package.md:59-63
• Testing matrix for integrations is explicit:
  • docs/extend/testing.md:8-14

Verification

I validated this against the current repo state with these checks:

rg -n "BeyondTrust|beyondinsight|beyondtrust" packages

Confirmed both beyondinsight_password_safe and beyondtrust_pra package trees exist.

# file inspections
packages/beyondinsight_password_safe/manifest.yml
packages/beyondinsight_password_safe/docs/README.md
packages/beyondinsight_password_safe/changelog.yml
packages/beyondtrust_pra/manifest.yml
docs/extend/build-create-package.md
docs/extend/testing.md

Confirmed package overlap, recommended creation workflow, and test suite expectations.

# CI/package-test flow references
.buildkite/scripts/check_sources.sh
.buildkite/scripts/common.sh

Confirmed CI runs package checks and tests (including elastic-package check and elastic-package test).

Detailed Action Plan

1. Clarify scope against existing BeyondTrust packages.

   • Compare requested "Identity Security Insights" API endpoints/datasets to current datasets in:
   • packages/beyondinsight_password_safe/docs/README.md:22-27

2. Choose path:

   • If overlap: open as enhancement to packages/beyondinsight_password_safe.
   • If distinct: create new package using:
     • docs/extend/build-create-package.md:8-14
     • docs/extend/build-create-package.md:59-63

3. Implement minimum package surface (new package or new datastreams):

   • manifest.yml, changelog.yml, dataset manifest.yml, fields/fields.yml, elasticsearch/ingest_pipeline/default.yml, sample_event.json, docs, policy/system/pipeline tests.
   • Use existing BeyondTrust packages as structure references:
     • packages/beyondinsight_password_safe/...
     • packages/beyondtrust_pra/...

4. Validate locally before PR:

   • elastic-package check -v
   • elastic-package test static
   • elastic-package test pipeline
   • elastic-package test policy
   • elastic-package test system (when applicable)

5. Open PR with changelog entry and dataset-level test fixtures.

Related Items

Type	Link	Relevance
Package	packages/beyondinsight_password_safe	Existing BeyondTrust IAM/PAM API integration, likely closest match
Package	packages/beyondtrust_pra	Existing BeyondTrust integration for PRA logs
PR	#11710	Initial release reference for BeyondInsight package (changelog.yml)
Doc	docs/extend/build-create-package.md	Official package/datastream creation workflow
Doc	docs/extend/testing.md	Required test suite matrix
CI Script	.buildkite/scripts/common.sh:835-885	CI package check/install/test behavior

Note: I couldn’t read the full issue body in this run due an integrity-policy restriction, so this recommendation is based on verifiable repo evidence and the issue title only.

Note

🔒 Integrity filtering filtered 4 items

Integrity filtering activated and filtered the following items during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.

• issue:[New Integration] BeyondTrust Identity Security Insights #18164 (issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• #18164 (search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• #17560 (search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• #14725 (search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)

---

What is this? | From workflow: Issue Triage

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)