Add BeyondTrust Privilege Management Cloud solution for Microsoft Sentinel

[jamos-bt]

Change(s):

• Added new Microsoft Sentinel solution: BeyondTrust Privilege Management Cloud
• Solution includes:
  • Data connector (Azure Function-based with DCR ingestion)
  • Two custom Log Analytics tables with comprehensive schemas
  • Interactive workbook for activity audits and client events
• Files added:
  • Solutions/BeyondTrustPMCloud/Data Connectors/azuredeploy_BeyondTrustPMCloud_API_FunctionApp.json
  • Solutions/BeyondTrustPMCloud/Data Connectors/BeyondTrustPMCloud_API_FunctionApp.json
  • Solutions/BeyondTrustPMCloud/Data Connectors/AzureFunctionBeyondTrustPMCloud/ (complete function app code)
  • Solutions/BeyondTrustPMCloud/Workbooks/BeyondTrustPMCloud.json
  • Solutions/BeyondTrustPMCloud/Data/Solution_BeyondTrustPMCloud.json
  • Solutions/BeyondTrustPMCloud/Package/ (complete solution package)
  • Solutions/BeyondTrustPMCloud/README.md
  • Solutions/BeyondTrustPMCloud/ReleaseNotes.md
  • Solutions/BeyondTrustPMCloud/SolutionMetadata.json

Reason for Change(s):

• New solution submission to provide Microsoft Sentinel customers with visibility into BeyondTrust Privilege Management Cloud
• Enables monitoring of:
  • Privilege elevation and application control events from endpoints
  • Administrative and configuration changes across the platform
  • Policy modifications and exceptions
  • User and permission management activities
• Uses modern Azure architecture:
  • DCR-based Logs Ingestion API (recommended approach)
  • Managed identity with RBAC (no shared keys)
  • Automated table creation with inline schemas
  • One-click ARM template deployment
• Partner-supported solution filling gap in privileged access management offerings in Content Hub

Version Updated:

• N/A - This is an initial solution submission (v3.0.0)

Testing Completed:

• Yes
• ARM template deployment tested successfully in Azure
• Both custom tables (BeyondTrustPM_ActivityAudits_CL, BeyondTrustPM_ClientEvents_CL) created automatically
• Data Collection Rules and Data Collection Endpoint configured correctly
• Function App deployed and executing on schedule
• Data ingestion verified - both tables receiving data
• Tested in clean Microsoft Sentinel workspace with no custom parsers or functions
• Verified with standard Log Analytics workspace (no dependencies on custom resources)

Checked that the validations are passing and have addressed any issues that are present:

• Yes
• Tried running the KQL and Detection Schema validation tests locally, but they fail even without my changes
• ARM-TTK validation: 48/49 tests passing
  • Only failure: "IDs Should Be Derived From ResourceIDs" (expected for Content Hub solution templates)
• JSON validation: All files validated successfully
• Solution package generated successfully using official packaging tool (V3)
• No KQL validation required (solution contains workbook with standard KQL queries, no detection rules)
• Package files validated:
  • createUiDefinition.json ✓
  • mainTemplate.json ✓
  • testParameters.json ✓

Additional Context:

• Solution uses .NET 8 Isolated runtime with official Azure SDKs
• ECS-aligned schema for Client Events table
• Comprehensive 40-column schema for Activity Audits
• Support for multiple hosting plans (Consumption, Flex Consumption, Elastic Premium)
• Ready for Content Hub/Azure Marketplace publication

[v-maheshbh]

Hi @jamos-bt Kindly accept the CLA and review the validation check that is failing.

Thanks!

[jamos-bt]

@microsoft-github-policy-service agree [company="BeyondTrust"]

[jamos-bt]

@microsoft-github-policy-service agree company="BeyondTrust"

[jamos-bt]

Hi @v-maheshbh,

The KQL validation seems to be failing because ...

"The name 'BeyondTrustPM_ActivityAudits_CL' does not refer to any known table, tabular variable or function."

This is a custom table that is created as part of the ARM template deployment in Solutions/BeyondTrustPMCloud/Data Connectors/azuredeploy_BeyondTrustPMCloud_API_FunctionApp.json

Is there something else I need to add so the test is aware of the two tables used by the connector?

[jamos-bt]

Hi @v-maheshbh just following up on the question above. I understand that the KQL validation is failing, but I'm not sure how to address it since it's not really an issue with the KQL statements in our package but rather just due to the fact that those statement reference custom tables that are created by the app.

Your input would be greatly appreciated!

[v-maheshbh]

Hi @jamos-bt
In C#, you convert to lowercase for the switch, but KQL is case-sensitive. So in your query, you must reference it exactly as BeyondTrustPM_ActivityAudits_CL Table.

Thanks!

[jamos-bt]

Hi @jamos-bt In C#, you convert to lowercase for the switch, but KQL is case-sensitive. So in your query, you must reference it exactly as BeyondTrustPM_ActivityAudits_CL Table.

Thanks!

Hi @v-maheshbh - I checked the repository and found that the tables are declared / created as BeyondTrustPM_ActivityAudits_CL and BeyondTrustPM_ClientEvents_CL. The ONLY place in the entire repository that those tables are referenced and it is NOT with those EXACT names (matching case) is on line 102 in LogAnalyticsService.cs ... where it is intentionally doing a .ToLowerInvariant() comparison in C#.

The actual KQL queries in BeyondTrustPMCloud_API_FunctionApp.json, mainTemplate.json, and BeyondTrustPMCloud.json all have the table names matching exactly to the declarations. Do you see somewhere I'm missing?

[jamos-bt]

@v-maheshbh Ping on the above. ;)

[v-maheshbh]

Hi @jamos-bt Kindly review the snippet below.

thanks!

[jamos-bt]

Hi @jamos-bt Kindly review the snippet below.

[screenshot here]
thanks!

Right. As mentioned above "The ONLY place in the entire repository that those tables are referenced and it is NOT with those EXACT names (matching case) is on line 102 in LogAnalyticsService.cs ... where it is intentionally doing a .ToLowerInvariant() comparison in C#."

The line you highlighted is just a string literal in the C# code and it is being compared to the output of logType.ToLowerInvariant() ... meaning the value, no matter what the casing of the value in logType, will always be lowercase here, hence the lowercase literal. This should have absolutely nothing to do with KQL validation is this isn't KQL ... it's C# function app code.

*** Also, to avoid any confusion as to what that code is doing, it takes the logType as a parameter. This parameter should be either "BeyondTrustPM_ActivityAudits_CL" or "BeyondTrustPM_ClientEvents_CL". It converts that value to lowercase and puts THAT value into a switch statement. The cases of the switch ultimately returns a tuple (multiple values) comprised of the DCR's immutable ID and the stream name. So, yes, the code does convert the logType (custom table name) to lowercase. BUT that value is ONLY used as the input to that switch statement. It is NOT used in a KQL query and it isn't even returned out of that method.

[v-maheshbh]

Hi @jamos-bt
Kindly update release notes in below format
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365/ReleaseNotes.md

Thanks!

[v-maheshbh]

hi @jamos-bt

We are putting your PR on hold because your solution uses Azure Function and not Sentinel Codeless Connector Framework (CCF). We would be happy to work with you to migrate your solution to CCF. Please contact the Microsoft Sentinel Partners at [email protected] to discuss available options.

Thanks!

[jamos-bt]

@v-maheshbh

We have reformatted the ReleaseNotes.md as requested.

That said we cannot rewrite the connect using the CCF. We actually went down that path originally, but we found that due to incompatibilities between the way the BeyondTrust PM Cloud APIs we needed to use were implemented and current CCF capabilities, it was not an option.

Therefore, we proceeded with the Microsoft recommendation for custom connectors where CCF cannot be used. https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector

Given the following facts, it seems there is no reason to put this PR on hold:

• We have already explored CCF and found it to NOT be an option in this case due to how the APIs on our side are implemented
• Microsoft recommends Azure Function Apps as the next-best approach for cases like this
• There are already other connectors in this repository that utilize Azure Function Apps

So that brings us back to the failing KQL validation check. Is there someone who might be able to look into this and provide guidance as to why it's failing? Is there an issue with the test / validation itself? Do we have an issue in our solution that simply isn't being clearly indicated by the provided error and that neither you nor I have been able to identify?

We do have multiple customers asking about this solution, and we have tested the solution and shown it to work. Anything you can do to escalate this so we can fix anything that needs to be fixed then get it merged, we would greatly appreciate it!

Thanks again,
Jarod

[v-maheshbh]

Hi @jamos-bt
Please drop a mail to the Microsoft Sentinel Partners at [email protected] to get their feedback and approval, so we can proceed further.

Thanks!

[v-maheshbh]

Hi @jamos-bt
Kindly add the schema definition file for the ‘BeyondTrustPM_ActivityAudits_CL’ custom table to the specified path and ensure that all column names and data types match the KQL schema to resolve the validation error.”
https://github.com/Azure/Azure-Sentinel/tree/master/.script/tests/KqlvalidationsTests/CustomTables

Thanks!

[jamos-bt]

@v-maheshbh Done! Hopefully that was the only thing preventing the validation check from passing.

[v-maheshbh]

Hi @jamos-bt

kindly Update the offerId to follow the correct format:
azure-sentinel-solution-solutionName

and attached testing screenshot for reference.

Thanks!

[jamos-bt]

Hi @v-maheshbh - I've updated the offer ID to match the suggested format. I also redeployed the solution in our environment and let it gather a bit of data to show it working:

[v-maheshbh]

Hi @jamos-bt
Kindly revert the changes made to the .md files and update the branch with the latest changes from master.

Thanks!

[jamos-bt]

@v-maheshbh Sorry, I didn't realize I needed to disable the Actions on my fork to keep it from automatically updating things I didn't change myself. I've now reverted all the changes to files that were not part of our solution and synced with the upstream repo.

[v-maheshbh]

Hi @jamos-bt
Kindly add the workbook preview images to the images folder. Please refer to the below solution for reference.
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/DORA%20Compliance/Workbooks

and also include the images at the path mentioned below as well.
https://github.com/Azure/Azure-Sentinel/tree/9c938c11160ed40bc335ba00795b96c37480b596/Workbooks/Images/Preview

Thanks!

[v-maheshbh]

Hi @jamos-bt
Kindly review the comments mentioned above.

Thanks!

[jamos-bt]

Hi @v-maheshbh - Preview screenshots have been added as requested. Sorry for the delay, but I was out for two weeks on holiday. :)

[v-maheshbh]

Hi @jamos-bt
The workbook preview images have not been added in the mentioned path. Kindly check and add the required preview images.
https://github.com/Azure/Azure-Sentinel/tree/9c938c11160ed40bc335ba00795b96c37480b596/Workbooks/Images/Preview

and
When adding a new workbook, update the WorkbooksMetadata.json file [https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json]

Thanks!

[jamos-bt]

Hi @v-maheshbh did you check this pull request for the preview images? They are present in the path you specified:

I also added my workbook to the main metadata file as requested.

[v-maheshbh]

Hi @jamos-bt
The below link is not working at our end. Kindly verify and confirm.

Thanks!

[jamos-bt]

Hi @v-maheshbh - Yes, that is our corporate website where users can go to get product information as well as support. I have verified that is is up and running.