Delinea Secret Server🔗
The following instructions are for sending Delinea Secret Server audit and security events to Secureworks® Taegis™ XDR using your XDR Collector and how those events appear after normalization.
Secret Server is Delinea's enterprise privileged access management and vault platform. When Syslog/CEF output is enabled, it forwards activity as Common Event Format (CEF) over syslog. XDR ingests that stream when it is delivered to a data collector listening for syslog.
Connectivity Requirements🔗
Allow the Secret Server instance or the network egress you use for syslog to reach the collector on the syslog port and protocol you configure on both sides. Collectors accept UDP/514 and TCP/601 by default, but you can also add a TLS-enabled syslog listener if you require encryption. For details, see TLS Enabled Syslog.
| Source | Destination | Port/Protocol |
|---|---|---|
| Delinea Secret Server (syslog client) | XDR Collector (mgmt IP) | Match the listener you use on the collector (for example UDP/514, TCP/601, or your configured TLS port) |
Use the same host (or VIP) and port that you configure in Secret Server's syslog destination. If you use TLS on the collector, follow TLS Enabled Syslog and configure Secret Server for secure syslog using Delinea's documentation.
Data Provided from Integration🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Delinea Secret Server | CloudAudit, Generic | Auth |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Detection Rules to generate detections based on normalized data from a data source.
Configure Delinea Secret Server🔗
Use Delinea's documentation to enable Syslog/CEF (or equivalent) log forwarding from Secret Server to your syslog server. The following Delinea guides describe application settings, protocols, and message format:
- Secure Syslog and CEF Logging
- Integrating Syslog CEF with Secret Server
- Syslog Event List (reference for event types and identifiers in CEF)
Requirements for XDR🔗
- Forward CEF syslog messages produced by Secret Server's Syslog/CEF integration, not a custom text format.
- In the CEF header, messages must identify the product as Thycotic Software (device vendor) and Secret Server (device product). This is the standard CEF identity emitted by Secret Server for SIEM integrations. Do not substitute a different vendor or product name in the CEF header.
- Point the syslog destination host and port at the XDR Collector address and the syslog listener you enabled (UDP, TCP, or TLS), consistent with your network and security policy.
Exact menus and licensing for syslog output depend on your Secret Server edition and deployment (on‑premises, distributed engine, or cloud). Follow the vendor guides above for your version.
Normalized Event Outcomes🔗
After ingestion, events are associated with sensor type Delinea Secret Server. Depending on the activity, normalized records are written to one of the following advanced search datasets:
| Dataset | Typical Use |
|---|---|
auth |
User authentication lifecycle (e.g., logon, logoff, lockout, password change outcomes, password expiry) |
cloudaudit |
Vault and platform activity (e.g., secret checkout, check‑in, view, launch, configuration, and engine events) |
generic |
Other Secret Server CEF events that are ingested and normalized here when they are not mapped into the auth or cloudaudit schemas |
Use sensor_type = 'Delinea Secret Server' (exact string) to scope searches to this integration.
Example Query Language Searches🔗
All Delinea Secret Server events from the last 24 hours (any normalized dataset listed above):
FROM auth, cloudaudit, generic WHERE sensor_type = 'Delinea Secret Server' AND EARLIEST=-24h
cloudaudit activity only:
FROM cloudaudit WHERE sensor_type = 'Delinea Secret Server' AND EARLIEST=-24h
auth events for a specific user principal:
FROM auth WHERE sensor_type = 'Delinea Secret Server' AND source_user_name = 'user@example.com'
cloudaudit events involving a secret name (search raw message text when needed):
FROM cloudaudit WHERE sensor_type = 'Delinea Secret Server' AND original_data CONTAINS 'Item name:'