TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Thales CipherTrust Manager Logs | ✅ | ✅ | ✅ | thales_cipher_trust_logs | nested-json-text | S3 |
Overview
Thales CipherTrust is an enterprise data security platform focused on protecting sensitive data through encryption, centralized key management and access controls. It is designed to help organizations secure data across hybrid and multi-cloud environments while maintaining visibility and control over where sensitive data resides and how it is accessed. 
Unlike standalone encryption or key management tools, CipherTrust provides a unified approach to data security by combining capabilities such as data discovery, classification, encryption, tokenization and secrets management under a single platform. This enables organizations to reduce complexity, enforce consistent security policies and meet regulatory compliance requirements more effectively.
CipherTrust Manager is the core component of the CipherTrust platform, acting as the centralized control plane for managing encryption keys, policies and data protection operations. It allows security teams to control the entire lifecycle of encryption keys, enforce role-based access policies and monitor all cryptographic activity from a single interface.
For enterprises, CipherTrust and CipherTrust Manager serve as a critical layer in the security stack, helping protect sensitive data across databases, applications, file systems and cloud workloads. For security teams and service providers, they provide the necessary tools to strengthen data protection strategies, simplify compliance and maintain control over encryption in increasingly complex IT environments.
Supported data types
Thales CipherTrust Manager Logs
Overview:
Thales CipherTrust Manager logs are structured audit and activity records generated by the CipherTrust platform that provide visibility into encryption key usage, authentication events, policy changes and system operations across data protection services.
Table name: thales_ciphertrust_manager_logs
Send data to Hunters
Hunters supports the ingestion of Thales Ciphertrust Manager Logs via an intermediary AWS S3 bucket.
To connect Thales CipherTrust Manager logs via S3:
Export your logs from Thales CipherTrust to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in Nested JSON Text:
{"message":"<134>Mar 30 05:29:29 test001.example.global CipherTrust: <134>1 2026-03-30T05:29:24.706083Z test001.example.global CipherTrust_Manager_a012b - a0123b45-6789-0123-c45d-ef6g7h89i0j [msg=\"Update License Usage\" sev=\"6\" details=\"'Update License Usage' succeeded ({\"client_ip\":\"\",\"createdAt\":\"2026-03-30T05:29:24.706083Z\",\"details\":{\"feature\":\"RESTfulDataProtection\",\"usages\":{}},\"domain_id\":\"00000000-0000-0000-0000-000000000000\",\"message\":\"Update License Usage\",\"proxy_ip\":\"\",\"service\":\"dmv\",\"service_name\":\"licensing\",\"severity\":\"info\",\"source\":\"test001.example.global\",\"success\":true,\"username\":\"\"})\"]"}
{"message":"<132>Mar 30 05:42:51 test001.example.global CipherTrust: <134>1 2026-03-30T05:42:46.362585Z test001.example.global CipherTrust_Manager_a012b - a0123b45-6789-0123-c45d-ef6g7h89i0j [msg=\"Create Token\" sev=\"6\" details=\"'Create Token' failed ({\"client_ip\":\"10.10.10.10\",\"createdAt\":\"2026-03-30T05:42:46.362585Z\",\"details\":{\"auth_domain\":\"\",\"client_id\":\"12345\",\"connection\":\"local_account\",\"domain\":\"\",\"errorMessage\":\"Neither public nor confidential client found with clientID:12345\",\"grant_type\":\"client_credential\",\"username\":\"\"},\"domain_id\":\"00000000-0000-0000-0000-000000000000\",\"message\":\"Create Token\",\"proxy_ip\":\"\",\"service\":\"abc\",\"service_name\":\"platform\",\"severity\":\"warning\",\"source\":\"test001.example.global\",\"success\":false,\"username\":\"\"})\"]"}
{"message":"<134>Mar 26 10:15:35 test001.example.global CipherTrust: <134>1 2026-03-26T10:15:30.700752Z test001.example.global CipherTrust_Manager_a012b - a0123b45-6789-0123-c45d-ef6g7h89i0j [msg=\"Use Key\" sev=\"6\" details=\"'Use Key' succeeded ({\"client_ip\":\"10.10.10.10\",\"createdAt\":\"2026-03-26T10:15:30.700752Z\",\"details\":{\"identifier\":\"SQL_ASymDB\",\"version\":0},\"domain_id\":\"00000000-0000-0000-0000-000000000000\",\"message\":\"Use Key\",\"proxy_ip\":\"\",\"record_type_id\":\"key-vault:UseKey\",\"service\":\"minerva\",\"service_name\":\"key-vault\",\"severity\":\"info\",\"source\":\"test001.example.global\",\"success\":true,\"username\":\"user1\"})\"]"}
{"message":"<134>Mar 30 18:37:02 test001.example.global CipherTrust: <134>1 2026-03-30T18:36:59.073215Z test001.example.global CipherTrust_Manager_a012b - a0123b45-6789-0123-c45d-ef6g7h89i0j [msg=\"Alarm State Change\" sev=\"6\" details=\"'Alarm State Change' succeeded ({\"client_ip\":\"\",\"createdAt\":\"2026-03-30T18:36:59.073215Z\",\"details\":{\"account\":\"abc:abc:admin:accounts:abc\",\"application\":\"system:system:admin:applications:system\",\"clearedAt\":\"2026-03-30T18:36:59.069465626Z\",\"createdAt\":\"2025-05-08T23:38:31.670677Z\",\"description\":\"Cluster node certificate is valid\",\"devAccount\":\"abc:abc:admin:accounts:abc\",\"id\":\"1234-f8e5-4d03-ab96-568\",\"internal\":true,\"name\":\"Cluster Node Certificate Expiration\",\"previous_state\":\"on\",\"service\":\"dbmgr\",\"severity\":\"critical\",\"source\":\"test001.example.global\",\"sourceID\":\"12a34a295084433b89d4f8daccc55b5f\",\"source_type\":\"server_record\",\"state\":\"off\",\"triggeredAt\":\"2026-03-30T18:21:29.021412Z\",\"uri\":\"abc:abc:audit:alarms:1234-f8e5-4d03-ab96-568"}
{"message":"<134>Mar 30 18:48:14 test001.example.global CipherTrust: <134>1 2026-03-30T18:48:09.903028Z test001.example.global CipherTrust_Manager_a012b - a0123b45-6789-0123-c45d-ef6g7h89i0j [msg=\"Update CTE Client\" sev=\"6\" details=\"'Update CTE Client' succeeded ({\"client_ip\":\"\",\"createdAt\":\"2026-03-30T18:48:09.903028Z\",\"details\":{\"id\":\"1234-f8e5-4d03-ab96-568\",\"name\":\"user2.example.global\",\"uri\":\"abc:abc:user:client:user2.example.global\"},\"domain_id\":\"00000000-0000-0000-0000-000000000000\",\"message\":\"Update CTE Client\",\"proxy_ip\":\"\",\"service\":\"user\",\"service_name\":\"cte-management\",\"severity\":\"info\",\"source\":\"test001.example.global\",\"success\":true,\"username\":\"\"})\"]"}
{"message":"<134>Mar 30 22:07:11 test001.example.global CipherTrust: <134>1 2026-03-30T22:07:06.422458Z test001.example.global CipherTrust_Manager_a012b - a0123b45-6789-0123-c45d-ef6g7h89i0j [msg=\"Revoke Refresh Token\" sev=\"6\" details=\"'Revoke Refresh Token' succeeded ({\"client_ip\":\"\",\"createdAt\":\"2026-03-30T22:07:06.422458Z\",\"details\":{\"client_id\":\"12345\",\"connection\":\"local_account\",\"id\":\"abcd-cdfa-466b-ad7b-efgh\",\"user_id\":\"local|12345\",\"username\":\"user1\"},\"domain_id\":\"00000000-0000-0000-0000-000000000000\",\"message\":\"Revoke Refresh Token\",\"proxy_ip\":\"\",\"service\":\"abc\",\"service_name\":\"platform\",\"severity\":\"info\",\"source\":\"test001.example.global\",\"success\":true,\"username\":\"\"})\"]"}
{"message":"<132>Mar 27 05:15:10 test001.example.global CipherTrust: <134>1 2026-03-27T05:15:05.15469Z test001.example.global CipherTrust_Manager_a012b - a0123b45-6789-0123-c45d-ef6g7h89i0j [msg=\"NAE Client Validation\" sev=\"6\" details=\"'NAE Client Validation' failed ({\"client_ip\":\"10.10.10.10\",\"createdAt\":\"2026-03-27T05:15:05.15469Z\",\"details\":{\"errorMessage\":\"Unregistered client found, please register a client. System may go out of compliance.\",\"interface_name\":\"nae_all_9002\",\"interface_type\":\"nae\",\"mode\":\"tls-pw-req\",\"subject_dn\":\"/CN=test001\"},\"domain_id\":\"00000000-0000-0000-0000-000000000000\",\"message\":\"NAE Client Validation\",\"proxy_ip\":\"\",\"service\":\"kylo\",\"service_name\":\"nae-kmip\",\"severity\":\"warning\",\"source\":\"test001.example.global\",\"success\":false,\"username\":\"\"})\"]"}
{"message":"<134>Mar 27 21:46:49 test001.example.global CipherTrust: <134>1 2026-03-27T21:46:44.133106Z test001.example.global CipherTrust_Manager_a012b - a0123b45-6789-0123-c45d-ef6g7h89i0j [msg=\"Kmip Authentication\" sev=\"6\" details=\"'Kmip Authentication' succeeded ({\"client_ip\":\"10.10.10.10\",\"createdAt\":\"2026-03-27T21:46:44.133106Z\",\"details\":{\"Username\":\"KMIP_USER\",\"userId\":\"local|1234\"},\"domain_id\":\"00000000-0000-0000-0000-000000000000\",\"message\":\"Kmip Authentication\",\"proxy_ip\":\"\",\"service\":\"kylo\",\"service_name\":\"nae-kmip\",\"severity\":\"info\",\"source\":\"test001.example.global\",\"success\":true,\"username\":\"\"})\"]"}