⚠️ This site is being sunset soon. Please update your bookmarks. Learn more →
Changelog
Back to All
fixed

beyondinsight-21-1

10 months ago by ReadMe API

April 13, 2021

New features and enhancements:

  • Added an option to hide the upcoming maintenance expiry banner.

  • Restored the Scan Progress column to the Active/Completed Scans grid.

  • Added SQL Options support to Privilege Management Reporting plugin configuration.

  • Removed support for Vulnerability type Smart Rules.

  • Deactivated Smart Rules that rely on Vulnerability specific criteria or actions.

  • Added Deprecated Smart Rules section to BTAnalyzer report to list Smart Rules that were deactivated on upgrade due to invalid criteria or actions.

  • Analytics and Reporting

    • Replaced the Analytics and Reporting homepage report with the Report Browser.
    • Removed support for making a saved view into the homepage report.
    • Introduced a Deprecated folder for all Vulnerability Management Reports.
    • Migrated a number of areas under Analytics and Reporting off AngularJS.
    • Removed support for Threat Analyzer, a Vulnerability Management function.

  • API:
    Team Passwords Support
     Folders
    | API Call | Description |
    | --- | --- |
    | GET TeamPasswords/Folders/ | Get all Team Passwords Folders |
    | GET TeamPasswords/Folders/{id}/ | Get Team Passwords Folder by ID |
    | POST TeamPasswords/Folders/ | Create Team Passwords Folder |
    | PUT TeamPasswords/Folders/{id}/ | Update Team Passwords Folder by ID |
    | DELETE TeamPasswords/Folders/{id}/ | Delete Team Passwords Folder by ID |

        *   Credentials
    API CallDescription
    GET TeamPasswords/Folders/{id}/Credentials/Get Team Passwords Credentials by Folder ID
    GET TeamPasswords/Credentials/{id}/Get Team Passwords Credential by ID
    POST TeamPasswords/Folders/{id}/Credentials/Create Team Passwords Credential in Folder
    PUT TeamPasswords/Credentials/{id}/Update Team Passwords Credential by ID
    DELETE TeamPasswords/Credentials/{id}/Delete Team Passwords Credential by ID
        *   Team Passwords supporting changes:
        *   For all User Group APIs, added the **Description : string** property to the response body.
        *   Creating or deleting an existing User Group that has the **Team Passwords** Feature/Permission enabled requires the caller to be an administrator:
            *   **POST UserGroups/**
            *   **DELETE UserGroups/{id}/**
            *   **DELETE UserGroups/?name={name}**
        *   Adding or removing the **Team Passwords** Feature/Permission to or from a User Group requires the caller to be an administrator:
            *   **POST UserGroups/{id}/Permissions/**
            *   **DELETE UserGroups/{id}/Permissions/**
*   AD and LDAP Users can now be removed if they do not belong to a User Group: **DELETE Users/{id}/**.
*   Access Policy Request Reason and ticket system support:

*   For **GET AccessPolicies/ and POST AccessPolicies/Test/** the following properties have been added to the response body:
    *   **RequireReason : bool**
    *   **RequireTicketSystem : bool**
    *   **TicketSystemID : short?**
*   For **POST Requests** and **POST RequestSets**, the Access Policy Schedule is now used to check ticket system requirements.

*   Minor model versioning support for POST|PUT ManagedSystems request body using query parameter **version**:
    *   Current/usable versions:
        *   3.0 - Default if not specified
            *   **PUT ManagedSystems/{id}/\[?version=3.0\]**
            *   **POST Workgroups/{id}/ManagedSystems/\[?version=3.0\]**
            *   **POST Assets/{id}/ManagedSystems/\[?version=3.0\]**
            *   **POST Databases/{id}/ManagedSystems/\[?version=3.0\]**
        *   3.1 - Adds support for **RemoteClientType : string** (support for Endpoint Privilege Management)
            *   **PUT ManagedSystems/{id}/?version=3.1**
            *   **POST Workgroups/{id}/ManagedSystems/?version=3.1**
            *   **POST Assets/{id}/ManagedSystems/?version=3.1**
            *   **POST Databases/{id}/ManagedSystems/?version=3.1**

*   Latest version (currently 3.1) always returned in relevant response bodies
    *   **PUT ManagedSystems/{id}/**
    *   **POST Workgroups/{id}/ManagedSystems/**
    *   **POST Assets/{id}/ManagedSystems/**
    *   **POST Databases/{id}/ManagedSystems/**
    *   **GET ManagedSystems/{id}/**
    *   **GET ManagedSystems/**
    *   **GET Assets/{id}/ManagedSystems/**
    *   **GET Databases/{id}/ManagedSystems/**
    *   **GET FunctionalAccounts/{id}/ManagedSystems/**
    *   **GET Workgroups/{id}/ManagedSystems/**
    *   **GET SmartRules/{id}/ManagedSystems/**

*   VMS Removal:
    *   Vulnerability Smart Rules have been removed. Any reference to Smart Rule type **Vulnerability** is now obsolete.
    *   The following VMS APIs have been removed and now return _404 Not Found_:
        *   **GET Assets/{id}/Vulnerabilities/?smartRuleID={srID}**
        *   **POST Vulnerabilities/ExportReport/**
        *   **GET Vulnerabilities/{id}/VulnerabilityReferences/**
*   Added model string length validation. String values exceeding maximum length now properly return _400 Bad Request_.
    *   AddressGroups
        *   **POST AddressGroups/**
        *   **PUT AddressGroups/{id}/**
            *   **Name** (255)
    *   Addresses
        *   **POST AddressGroups/{id}/ (deprecated/superceded by POST AddressGroups/{id}/Addresses/)**
        *   **POST AddressGroups/{id}/Addresses/**
        *   **PUT Addresses/{id}/**
            *   **Name** (255)
    *   Assets
    *   **POST Workgroups/{workgroupID}/Assets/**
    *   **POST Workgroups/{workgroupName}/Assets/**
    *   **PUT Assets/{id}/**
        *   **AssetName** (128)
        *   **AssetType** (64)
        *   **DnsName** (255)
        *   **DomainName** (64)
        *   **IPAddress** (45)
        *   **MacAddress** (128)
        *   **OperatingSystem** (255)
    *   AttributeTypes
        *   **POST AttributeTypes/**
            *   **Name** (64)
    *   Attributes
        *   **POST AttributeTypes/{attributeTypeID}/Attributes/**
            *   **ShortName** (64)
            *   **LongName** (64)
            *   **Description** (255)
    *   Databases
        *   **POST Assets/{id}/Databases/**
        *   **PUT Databases/{id}/**
            *   **InstanceName** (100)
            *   **Version** (20)
    *   Directories
    *   **POST Workgroups/{id}/Directories/**
    *   **PUT Directories/{id}/**
        *   **DomainName** (50)
        *   **ForestName** (64)
        *   **NetBiosName** (15)
        *   **Description** (255)
        *   **ContactEmail** (128)
    *   FunctionalAccounts
        *   **POST FunctionalAccounts/**
        *   **DomainName** (50)
        *   **AccountName** (245)
        *   **DisplayName** (100)
        *   **Description** (1000)
        *   **ElevationCommand** (80)
    *   ManagedAccounts
        *   **POST ManagedSystems/{systemID}/ManagedAccounts/**
        *   PUT ManagedAccounts/{id}/
        *   **DomainName** (50)
        *   **AccountName** (245)
        *   **DistinguishedName** (1000)
        *   **UserPrincipalName** (500)
        *   **SAMAccountName** (20)
        *   **Description** (1024)
        *   **ReleaseNotificationEmail** (255)
    *   ManagedSystems
    *   **POST Assets/{assetId}/ManagedSystems/**
    *   **POST Databases/{databaseID}/ManagedSystems/**
    *   **POST Directories/{directoryID}/ManagedSystems/**
    *   **POST Workgroups/{id}/ManagedSystems/**
    *   **PUT ManagedSystems/{id}/**
        *   **HostName** (50)
        *   **DnsName** (255)
        *   **IPAddress** (45)
        *   **InstanceName** (100)
        *   **ForestName** (64)
        *   **OracleInternetDirectoryServiceName** (200)
        *   **NetBiosName** (15)
        *   **Description** (255)
        *   **ContactEmail** (128)
    *   QuickRules
        *   **POST QuickRules/**
        *   **Category** (50)
        *   **Title** (75)
    *   Requests
        *   **POST Requests/**
        *   **POST Aliases/{aliasId}/Requests/**
            *   **TicketNumber** (20)
        *   **PUT Requests/{id}/Checkin/**
        *   **PUT Requests/{id}/Approve/**
        *   **PUT Requests/{id}/Deny/**
        *   **POST ManagedAccounts/{managedAccountID}/Requests/Terminate/**
        *   **POST ManagedSystems/{managedSystemID}/Requests/Terminate/**
        *   **POST Users/{userID}/Requests/Terminate/**
            *   **Reason** (1000)
    *   RequestSets
        *   **POST RequestSets/**
            *   **TicketNumber** (20)
    *   Sessions
        *   **POST Sessions/Admin/**
        *   **HostName** (128)
        *   **DomainName** (50)
        *   **UserName** (200)
        *   **Resolution** (50)
    *   SmartRules
        *   **POST SmartRules/FilterAssetAttribute/**
            *   **Category** (50)
            *   **Title** (75)
    *   **POST SmartRules/FilterSingleAccount/** (deprecated)
        *   **Title** (75)
    *   UserGroups
        *   **POST UserGroups/**
            *   **groupName** (200)
            *   **description** (255)
            *   **groupDistinguishedName** (500)
            *   **hostName** (50)
            *   **membershipAttribute** (255)
            *   **accountAttribute** (255)
            *   **forestName** (300)
            *   **domainName** (250)
    *   Users
        *   **POST Users/**
            *   **UserName** (64)
            *   **DomainName** (250)
            *   **DistinguishedName** (255)
            *   **FirstName** (64)
            *   **LastName** (64)
            *   **EmailAddress** (255)
    *   **POST UserGroups/{id}/Users/**
    *   **PUT Users/{id}/**
        *   **UserName** (64)
        *   **FirstName** (64)
        *   **LastName** (64)
        *   **EmailAddress** (255)
    *   Workgroups
        *   **POST Workgroups/**
            *   **Name** (256)

  • Endpoint Privilege Management:

    • Added support for Global Endpoint Privilege Management Policy Ordering.
    • Added auditing of changes to Endpoint Privilege Management policies (who made the change, which policy they changed, when the change was made).
    • Added support for future Endpoint Privilege Management Policy Locking functionality.

  • Password Safe:

    • Additional Access Policy options: Require Reason and Ticket System global settings are now configurable at the Access Policy level.
    • Expanded API: added Team Passwords functionality.
    • Added a Details and Attributes section to both Managed Accounts and Managed Systems Advanced Details screens.
    • Added new platforms: macOS Secure Token, Cisco WLC, Fortinet Admin.
    • Endpoint Privilege Management for Mac is now supported as a change agent.
    • Added configurable option for background display in RDP sessions.
    • Made security enhancements.

  • Password Safe Cloud:

    • Resource Broker is now updated when the Password Safe Cloud instance updates.
    • Resource Broker log files are now accessible from the Password Safe Cloud instance.

Issues resolved:

  • Resolved issue in which the Name field was editable when adding an asset to Password Safe.
  • Resolved issue in which assets scanned using BeyondTrust Discovery v20 and non-functional credentials could be imported without asset names and appear as duplicates in the Asset grid.
  • Resolved an issue with email validation. Now an email cannot contain extraneous characters after the domain, nor may it end in a number.
  • Adjusted ChangeTime validation so that ChangeTime exactly matched the range 00:00 to 23:59.
  • For the API call POST Auth/SignAppin/:
    • Authentication failure messages are now valid JSON
    • Subsequent calls now use the current Authorization header to reauthenticate.
  • POST Auth/Signout/ can now be called to abandon unwanted MFA challenges.
  • The GET OperatingSystems/ call now properly returns a 401 Unauthorized message on unauthorized calls.
  • For the API call GET ManagedAccounts/:
    • Made performance enhancements.
    • Static (non–asset-based) Managed Systems are now properly returned for ISA role based access.
    • The systemName query parameter is no longer massaged to match a padded IP. The parameter value now matches the Managed System Name exactly.
  • For the API call GET Directories/:
    • Made performance enhancements.
    • Resolved an intermittent 500 Internal Server Error message that displayed under heavy system load.
  • QuickRules, SmartRules
    • Made performance enhancements.
    • Resolved an intermittent 500 Internal Server Error that displayed when the DELETE QuickRules/{id}/ call was made under heavy system load.
  • For the API calls POST Users/, POST UserGroups/{id}/Users/, and PUT Users/{id}/, the Audit record now properly sets the Audit.Username value.
  • For the API call POST Users/, new LDAP users that belong only to BeyondInsight-type user groups can now properly authenticate after being created.
  • For the API call POST Users/, new directory credentials are automatically enabled for group resolution when there is not a pre-existing directory credential entry for the directory.
  • Password Safe Cloud:
    • Resolved issue in which omitted IP addresses in an Address Group were included in the scan target list.
    • Resolved issue in which users intermittently encountered a Form is stale error.
    • Resolved issue in which propagating password changes to IIS AppPools was problematic.
    • Resolved issue in which propagating password changes to Scheduled Tasks on Server 2016/2019 was problematic when the task RunAsUser was a domain account, the asset was on the domain, and the asset had a local user with the same username.
    • Resolved issue in which recurrent scheduled scans could run an extra 12 hours after their originally scheduled time.

Known issues:

  • BeyondInsight:
    • Smart Rules that are deactivated due to reliance on VMS-specific criteria and actions will not process until the criteria and actions are updated.
    • Some areas in Analytics and Reporting are translated while others are not.
    • New optional Scan Progress column on Active/Completed Scans grid may state Scanning X of X even though scan state is complete.
    • Printing a report from Analytics and Reporting using Internet Explorer 11 either suggests the user install SSRS (if cache is cleared) or does nothing (if cache is not cleared).
    • User Login: a newly added LDAP group does not immediately appear in LDAP servers section on login page.
    • Analytics and Reporting Report Styling Preview gives an error message before reloading successfully.
    • Omniworker log file may show log level changes repeatedly on clean installs.
  • Password Safe:
    • OneClick: When set to x amount of max concurrent requests, the last one cannot make multiple sessions.
    • Custom Platform: snackbar error when setting Custom Platform inactive using German language.
    • Updating a schedule advances the enddate (if set) by a day (for each update).
    • Password Safe Cloud only: downloading a report to any format takes too long.
    • Password Safe Cloud only: status image indicator is missing from the Discovery report.

Notes:

  • Direct upgrades to 21.1 are supported from BeyondInsight versions 6.9.x or later.

  • Removed support for Vulnerability Smart Rules and related criteria/actions.

  • This release is available by download for BeyondTrust customers (https://beyondtrustsecurity.force.com/customer/login) and by using the BeyondTrust BT Updater.

  • The MD5 signature is: fb2c03b2cb7593405cbb8da20e9442f8.

  • The SHA-1 signature is: c02e550d41d40699886dcdf2fd9de8a72f9d77c3.

  • The SHA-256 signature is: e2c97378c045eea77ae9ea4fe91a8656e1a3ea327d7816f74115857477a517eb.