Overview

This article explains how to ingest to Hunters your Thycotic Secret server Logs.

Ingestion to Hunters

For Hunters to integrate with your Thycotic Logs, the logs should be collect to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

Supported Format

  • Example of CEF-formatted expected log:

Aug 18 14:28:06 sv-thyss CEF:0|Thycotic Software|Secret Server|8.6.000010|18|USER - LOGINFAILURE|2|msg=[SecretServer] Event: [User] Action: [Login Failure] By User: domain.local\\John Snow Item Name: domain.local\\John Snow suid=6 suser=domain.local\\John Snow duser=domain.local\\John Snow duid=6 fname=domain.local\\John Snow fileType=User fileId=6 src=192.168.2.27 rt=Aug 18 2014 14:28:03
CODE