Skip to main content

Purpose

The BeyondTrust integration enables AirMDR to connect with BeyondTrust APIs and retrieve relevant access, session, audit, and security event information. This helps SOC teams investigate privileged access activity, correlate incidents, and automate response actions from AirMDR playbooks.

Supported Versions

ComponentSupported Version
BeyondTrust Remote SupportSupported
BeyondTrust Privileged Remote Access (PRA)Supported
BeyondTrust BeyondInsightSupported
BeyondTrust Password SafeSupported
Deployment ModelsCloud & On-Premises
Authentication MethodOAuth 2.0
AirMDR Integration TypeAPI-Based
Menu names may vary slightly depending on your BeyondTrust deployment version.

Authentication

AirMDR uses OAuth 2.0 authentication to securely connect to BeyondTrust APIs.
CredentialDescription
Base URLBeyondTrust tenant URL or appliance URLhttps://company.beyondtrustcloud.com
OAuth Client IDUnique client identifier generated for the API accounte52a9aa6*****3a40601a736b230a1bebcd1
OAuth Client SecretAPI Client Secret generated for the API account***************

Role-Based Access Considerations

  • Create a dedicated API account specifically for AirMDR.
  • Follow the Principle of Least Privilege.
  • Avoid using personal administrator accounts.
  • Periodically rotate OAuth credentials.
  • Store secrets securely.

BeyondTrust Integration Setup Steps

1

Log in to BeyondTrust Admin Console

  1. Open a supported browser.
  2. Go to the BeyondTrust admin URL: https://<your-beyondtrust-domain>/login
  3. Sign in with an administrator account.
    Admin privileges are required to create or edit API accounts.
2

Identify the Base URL

  1. In the browser address bar, copy the BeyondTrust domain.
  2. Remove /login from the URL.
  3. Use the remaining value as the Base URL.
    Example:
    Login URL: https://company.beyondtrustcloud.com/login
    Base URL: https://company.beyondtrustcloud.com
    Use this Base URL while configuring the BeyondTrust integration in AirMDR.
3

Open API Configuration

  1. From the left navigation menu, select Management.
  2. Open the API Configuration tab.
  3. Confirm that API access is enabled.
    For Remote Support or Privileged Remote Access deployments, ensure the required API options are enabled based on the AirMDR use case.
    If API access is disabled, AirMDR cannot authenticate or retrieve data from BeyondTrust.
4

Create a New API Account

  1. In API Configuration, click Add or Create New API Account.
  2. Enter a clear account name. For Example: AirMDR Integration API Account.
  3. Enable the API account.
  4. Select the required API permissions.
  5. Avoid selecting full access unless it is explicitly required and approved.
  6. Click Save.
5

Copy the OAuth Client ID

  1. Open the newly created API account.
  2. Locate the OAuth Client ID field.
  3. Copy the value.
  4. Store it securely for AirMDR configuration.
    Example:
    OAuth Client ID:
    <generated-client-id>
6

Generate the OAuth Client Secret

  1. In the same API account screen, click Generate New Client Secret.
  2. Copy the generated secret immediately.
  3. Store the secret in an approved password vault or secret manager.
  4. Click Save.
The OAuth Client Secret may be visible only once. If it is lost, generate a new client secret and update the AirMDR integration.

Integration Credential Requirements

Use the following values in the AirMDR integration configuration screen:
AirMDR FieldBeyondTrust ValueDescription
Base URLBeyondTrust Instance URLThe root URL of your BeyondTrust tenant or appliance. Example: https://company.beyondtrustcloud.com
OAuth Client IDOAuth Client IDThe unique identifier generated for the BeyondTrust API account.
OAuth Client SecretOAuth Client SecretThe secret generated for the BeyondTrust API account and used for OAuth authentication.

Where to Obtain These Credentials

CredentialLocation in BeyondTrust
Base URLBrowser address bar after logging in to BeyondTrust (remove /login if present).
OAuth Client IDManagement → API Configuration → API Account → OAuth Client ID
OAuth Client SecretManagement → API Configuration → API Account → Generate New Client Secret
The OAuth Client Secret may only be displayed once when generated. Store it securely in a password vault or secret management solution before proceeding with the AirMDR configuration.

Validate Connectivity

Use the following command to verify connectivity and token authentication: 
curl -X POST "https://company.beyondtrustcloud.com/oauth2/token" \
-H "Authorization: Basic <Base64_ClientID_ClientSecret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials"
“access_token”: “eyJhbGciOiJIUzI1NiIs…”,“token_type”: “Bearer”,“expires_in”: 3600

Configure BeyondTrust in AirMDR Integrations Dashboard

  1. Navigate to AirMDR, provide the credentials and click Login
  2. Navigate to the AirMDR Integrations Dashboard in the left navigation pane and select Integrations.
  3. Use the search option, enter the keyword “Beyond Trust”, select the Connections tab, and click + Create button.
  4. Enter an unique name to the Instance (e.g., your org name-BeyondTrust) to easily identify the user connection by AirMDR.
  5. Enter the application credentials like Instance URL and Token in the Authentication Details field params, and click Save.

Skills provided by this Integration

Skill IDPurpose
List BeyondTrust Jump ItemsList Beyond Trust jump item events, optionally filtered by time window, jump group, jump item, or actor.
Get BeyondTrust Endpoint License UsageFetch the endpoint license usage report (ZIP metadata) from Beyond Trust.
List BeyondTrust SyslogList the BeyondTrust syslog ZIP (last 30 days of /login admin changes).
Get BeyondTrust Access Session RecordingFetch the recording metadata for a BeyondTrust access session identified by Isid.
Get BeyondTrust Access Session SummarySummary report of BeyondTrust access sessions over a time window using the AccessSessionSummary report.
List Beyond Trust Vault Account ActivityList BeyondTrust vault account activity over a time window using the VaultAccountActivity report.
List BeyondTrust Access SessionsList BeyondTrust access sessions within a time window using the AccessSessionListing report.
Get BeyondTrust Command Shell RecordingFetch a command shell recording for a specific command shell instance within a BeyondTrust access session.
Get BeyondTrust Access SessionFetch Beyond Trust access session(s) by Isid, or all sessions within a time window.
List BeyondTrust TeamsList BeyondTrust team activity, optionally filtered by time window or a specific team id.
To view the details of Input Parameters and Output for the respective skills
  • Go to AirMDR → BeyondTrust Integration page.
  • Select the Skills tab and click on the required listed skills.

Additional Information

Architecture Overview Diagram

Airr MDR BT Architecture
IssuePossible CauseResolution
Invalid Base URLIncorrect URL formatRemove /login and use root URL
Invalid Client IDIncorrect value copiedVerify API account configuration
Invalid Client SecretSecret regenerated or expiredGenerate a new secret
Authentication FailureOAuth misconfigurationValidate credentials
Permission DeniedMissing API permissionsReview API account roles
Connection TimeoutFirewall or network issueVerify HTTPS access

AirMDR Logs

Review: Integrations → BeyondTrust → Logs

BeyondTrust Logs

Review: Management → Audit Logs or Reports → API Activityor

Sample Successful Log

INFO: BeyondTrust authentication successful.

Sample Authentication Failure

ERROR: OAuth authentication failed.

Sample Permission Failure

WARN: API account lacks required permissions.
LevelPurpose
INFONormal operations
WARNPermission or configuration issues
ERRORAuthentication and connectivity failures
  • Use a dedicated API account for AirMDR.
  • Apply least-privilege permissions.
  • Rotate OAuth credentials regularly.
  • Store credentials in an approved secret manager.
  • Restrict access to integration administrators.
  • Monitor API usage and audit logs.
  • Immediately revoke compromised credentials.
  • Review permissions quarterly.
Security Recommendation: Never share OAuth Client Secrets through email, chat applications, or unsecured documentation. Use an approved enterprise secret management solution.
  • 📧 Contact AirMDR Support through your designated support channel for:
    • API account issues
    • Tenant configuration problems
    • Authentication errors
  • 🔁 Rotate credentials regularly.
    • Rotate OAuth Client Secrets.
    • Review API account permissions.
    • Disable unused API accounts.
    • Revalidate connectivity after BeyondTrust upgrades.
    • Monitor integration logs for failures.
  • 🔄 Reconnect in AirMDR when secrets are changed.

Data Exchanged

Depending on permissions granted, AirMDR may retrieve:
  • Privileged session information
  • User access activity
  • Audit logs
  • Endpoint metadata
  • Security investigation context

Encryption

CategoryMethod
Data in TransitTLS 1.2+ / HTTPS
AuthenticationOAuth 2.0
Credential StorageSecure encrypted storage

Ports and Endpoints

ItemValue
ProtocolHTTPS
Port443
OAuth Endpoint/oauth2/token
API EndpointProduct-specific REST APIs