Document toolboxDocument toolbox

auth.thycotic

Introduction

The tags beginning with auth.thycotic identify events generated by Delinea (formerly Thycotic).

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as auth.thycotic. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Thycotic Secret Server

auth.thycotic.secretserver

auth.thycotic.secretserver

For more information, read more About Devo tags.

How is the data sent to devo?

Set up the Thycotic product

The user may follow the official vendor documentation to configure log forwarding to a Devo Relay. Then, the Distributed Engine that would be installed on-premises will forward logs in CEF format to the Devo Relay.

Set up the Devo relay rules

You will need to set up 1 rule on the relay to correctly process and forward the events received from Thycotic. In the examples below, you should use any port that you can dedicate to these events.

Rules

Rules

Thycotic SecretServer

  • Source port → Custom source port

  • Source data → CEF:(.*)

  • Sent without syslog tag → False

  • Target tag → auth.thycotic.secretserver

  • Is prefix → False

  • Target Message → \\d1

  • Stop processing → True

Table structure

auth.thycotic.secretserver

These are the fields displayed in this table:

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

cefVersion

str

 

embDeviceVendor

str

 

embDeviceProduct

str

 

deviceVersion

str

 

signatureID

str

 

name

str

 

severity

str

 

_cefVer

str

 

duid

str

 

duser

str

 

fileId

str

 

fileType

str

 

fname

str

 

msg

str

 

rt

timestamp

 

src

ip4

 

suid

str

 

suser

str

 

suserDisplayName

str

 

folder

str

 

hostchain

str

✓

tag

str

✓ 

rawMessage

str

✓Â