From f3faba5868c294edfc6da861a678961842517504 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Tue, 13 Jul 2021 08:42:11 -0400
Subject: [PATCH] feat(thycotic): support secret server

fixes #1183
---
 docs/sources/Thycotic/index.md                | 39 +++++++++++++++++++
 mkdocs.yml                                    |  1 +
 .../cef/app-cef-thycotic_secret_server.conf   | 18 +++++++++
 3 files changed, 58 insertions(+)
 create mode 100644 docs/sources/Thycotic/index.md
 create mode 100644 package/etc/conf.d/conflib/cef/app-cef-thycotic_secret_server.conf

diff --git a/docs/sources/Thycotic/index.md b/docs/sources/Thycotic/index.md
new file mode 100644
index 0000000000..5687ee65e7
--- /dev/null
+++ b/docs/sources/Thycotic/index.md
@@ -0,0 +1,39 @@
+# Vendor - Tenable
+
+
+## Product - Tenable.nnm
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | https://splunkbase.splunk.com/app/4060/                                                                 |
+| Product Manual | https://docs.tenable.com/integrations/Splunk/Content/Splunk2/ProcessWorkflow.htm                        |
+
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| thycotic:syslog       | None                                                                                                    |
+
+### Sourcetype and Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| Thycotic Software_Secret Server      | thycotic:syslog       | netauth          | none          |
+
+### Filter type
+
+CEF
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+
+### Verification
+
+An active device will generate frequent events. Use the following search to validate events are present per source device
+
+```
+index=<asconfigured> sourcetype=thycotic:syslog  | stats count by host
+```
\ No newline at end of file
diff --git a/mkdocs.yml b/mkdocs.yml
index 92c2e6cc24..464633e86e 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -58,6 +58,7 @@ nav:
       - Broadcom: sources/Broadcom/index.md
       - Tanium: sources/Tanium/index.md
       - Tenable: sources/Tenable/index.md
+      - Thycotic: sources/Thycotic/index.md
       - Tintri: sources/Tintri/index.md
       - Trend: sources/Trend/index.md
       - Ubiquiti: sources/Ubiquiti/index.md
diff --git a/package/etc/conf.d/conflib/cef/app-cef-thycotic_secret_server.conf b/package/etc/conf.d/conflib/cef/app-cef-thycotic_secret_server.conf
new file mode 100644
index 0000000000..152d878f3c
--- /dev/null
+++ b/package/etc/conf.d/conflib/cef/app-cef-thycotic_secret_server.conf
@@ -0,0 +1,18 @@
+block parser cef-thycotic_secret_server-parser() {    
+    channel {
+        rewrite {
+            r_set_splunk_dest_default(
+                index('netauth'),
+                sourcetype('thycotic:syslog')
+            );
+        };          
+         
+    };   
+};
+application cef-thycotic_secret_server[cef] {
+	filter{
+        match("Thycotic Software" value("fields.cef_device_vendor"))
+        and match("Secret Server" value("fields.cef_device_product"));
+    };
+    parser { cef-thycotic_secret_server-parser(); };   
+};