TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Delinea Audit Logs | ✅ | ✅ | ✅ | ✅ | delinea_audit_logs | NDJSON | S3 |
Overview
Delinea’s cloud-based SaaS solution consolidates identities and applies Zero Trust Principles to stop privileged access abuse and reduce security risks. Cloud Suite allows organizations to minimize their attack surface by consolidating identities and leveraging multi-directory services for authentication, implementing just-in-time privilege, MFA enforcement, and securing remote access while auditing everything.
Delinea Cloud Suite Insights & Audit Logs is the centralized auditing and visibility component of the Delinea Platform, designed to provide unified, tamper-resistant recording of all security-relevant activities occurring across Delinea’s privileged access management services, such as Secret Server, Delinea Identity, Identity Federation, and other Cloud Suite components. Insights aggregates events from all connected Delinea products into a single, normalized audit stream.
Logs follow a consistent schema that supports correlation across authentication, authorization, and privileged credential usage, enabling complete traceability from user login through secret access. The platform delivers real-time monitoring, compliance-ready audit trails, and forensic-quality event detail, helping organizations detect abnormal behavior, meet regulatory requirements (such as SOX, HIPAA, PCI-DSS), and maintain strong privileged access governance.
Insights logs can be exported through APIs, integrated with Hunters’ SIEM platform, or retained for long-term investigations, ensuring security teams maintain comprehensive oversight of privileged account activity across hybrid and cloud environments.
Supported data types
Delinea Cloud Suite Audit Logs
Table name: delinea_audit_logs
Delinea Cloud Suite Audit Logs is the centralized auditing and visibility component of the Delinea Platform, designed to provide unified, tamper-resistant recording of all security-relevant activities occurring across Delinea’s privileged access management services.
Each event captures detailed metadata, including the acting user or system, authentication factors, source IP address, target resource, timestamps, and contextual payloads specific to the operation, such as secret access, password retrieval, federation authentication, role use, and session lifecycle events.
Learn more here.
Send data to Hunters
Hunters supports audit logs from Delinea Cloud Suite using S3.
To connect Delinea Cloud Suite logs:
Route Delinea Cloud Suite logs into an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
The expected format of the logs is the NDJson format as exported by Delinea Cloud Suite.
Authentication logs
{"AuditEventMessageId": "00000000-0000-0000-0000-000000000001", "TenantId": "11111111-1111-1111-1111-111111111111", "Service": {"Type": "Secret Server"}, "SessionId": null, "Source": {"Host": {"Network": {"AddressType": "ipaddress", "IpAddress": "10.0.0.1"}}}, "Actor": {"Id": "22222222-2222-2222-2222-222222222222", "PlatformId": "22222222-2222-2222-2222-222222222222", "IdType": "platformid", "Type": "user", "Name": "user.admin@example.com"}, "Target": {"Host": {"$type": "Delinea.Audit.Abstractions.Models.V2.AuditEventModels.Host, Delinea.Audit.Abstractions", "MachineName": null, "Network": null, "Client": null}, "Id": "99999", "IdType": null, "Type": "SECRET", "Name": "99999"}, "Action": {"Name": "Delinea.Vault.Secret.Password.Viewed", "Verb": "", "TargetType": ""}, "EventDateTime": "2025-11-10T13:45:11.237+00:00", "ProcessedTime": "0001-01-01T00:00:00+00:00", "Notes": "{\"machineName\":\"worker-anonymized\",\"machineTimeZone\":\"Coordinated Universal Time\",\"product\":\"Secret Server\",\"schemaVersion\":\"https://schema.delinea.app/secretserver/schema.v1.json\",\"itemName\":\"REDACTED_SECRET_NAME\",\"itemNameForDisplay\":\"REDACTED_SECRET_NAME\",\"byUser\":\"user.admin@example.com\",\"byUserDisplayName\":\"User Admin\",\"delegatedUserName\":null,\"delegatedUserDisplayName\":null,\"byUserEmailAddress\":null,\"delegatedUserPlatformId\":null,\"eventAction\":\"PASSWORD_DISPLAYED\",\"eventEntityType\":\"SECRET\",\"containerName\":\"REDACTED_CONTAINER\",\"byUserPlatformId\":null,\"eventLevel\":2,\"itemPlatformId\":null,\"targetUserId\":null,\"targetUserName\":null,\"targetUserDisplayName\":null,\"targetUserPlatformId\":null,\"eventQueueId\":619611,\"eventEntityTypeId\":10001,\"eventActionId\":10039,\"userId\":0,\"delegatedUserId\":null,\"itemId\":99999,\"containerId\":0,\"eventTime\":\"0001-01-01T00:00:00\",\"eventDetails\":\"Fields: (Password) Account Name: REDACTED_ACCOUNT_ID \",\"ipAddress\":\"10.0.0.1\",\"eventDataObject\":null,\"additionalData\":null,\"additionalDataDictionary\":{},\"fieldChangesCollection\":null}", "Tags": {"$type": "System.Collections.Generic.Dictionary`2[[System.String, System.Private.CoreLib],[System.String[], System.Private.CoreLib]], System.Private.CoreLib"}, "AdditionalAttributes": {"$type": "System.Collections.Generic.Dictionary`2[[System.String, System.Private.CoreLib],[System.String[], System.Private.CoreLib]], System.Private.CoreLib", "eventmessageguid": ["aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"]}, "Level": 1, "UniqueConsumableId": null, "Version": 0, "Redelivered": false, "RelayEvenIfExpired": true, "ParentCorrelationId": "00000000-0000-0000-0000-000000000000", "CorrelationId": "00000000-0000-0000-0000-000000000000", "TenantSecondaryId": "11111111-1111-1111-1111-111111111111", "ForceCompress": false, "$type": "Delinea.Audit.Platform.Messages.AuditEventConsumableModel, Delinea.Audit.Platform.Messages", "FieldChanges": null, "ExpiresOn": null, "RoutingKeySegments": null, "_ucid": "ffffffff-1111-2222-3333-444444444444", "MetaData": null, "RiskData": null}