auth.thycotic

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How is the data sent to devo? ] [ 4 Table structure ]

Introduction

The tags beginning with auth.thycotic identify events generated by Delinea (formerly Thycotic).

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as auth.thycotic. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Thycotic Secret Server	`auth.thycotic.secretserver`	`auth.thycotic.secretserver`

For more information, read more About Devo tags.

How is the data sent to devo?

Set up the Thycotic product

The user may follow the official vendor documentation to configure log forwarding to a Devo Relay. Then, the Distributed Engine that would be installed on-premises will forward logs in CEF format to the Devo Relay.

Set up the Devo relay rules

You will need to set up 1 rule on the relay to correctly process and forward the events received from Thycotic. In the examples below, you should use any port that you can dedicate to these events.

Rules

Rules

Thycotic SecretServer

Source port → Custom source port
Source data → CEF:(.*)
Sent without syslog tag → False
Target tag → auth.thycotic.secretserver
Is prefix → False
Target Message → \\d1
Stop processing → True

Table structure

auth.thycotic.secretserver

These are the fields displayed in this table:

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
cefVersion	`str`
embDeviceVendor	`str`
embDeviceProduct	`str`
deviceVersion	`str`
signatureID	`str`
name	`str`
severity	`str`
_cefVer	`str`
duid	`str`
duser	`str`
fileId	`str`
fileType	`str`
fname	`str`
msg	`str`
rt	`timestamp`
src	`ip4`
suid	`str`
suser	`str`
suserDisplayName	`str`
folder	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓