Skip to content

Commit

Permalink
feat(thycotic): support secret server
Browse files Browse the repository at this point in the history
fixes #1183
  • Loading branch information
rfaircloth-splunk committed Jul 13, 2021
1 parent 84414a4 commit f3faba5
Show file tree
Hide file tree
Showing 3 changed files with 58 additions and 0 deletions.
39 changes: 39 additions & 0 deletions docs/sources/Thycotic/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Vendor - Tenable


## Product - Tenable.nnm

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | https://splunkbase.splunk.com/app/4060/ |
| Product Manual | https://docs.tenable.com/integrations/Splunk/Content/Splunk2/ProcessWorkflow.htm |


### Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| thycotic:syslog | None |

### Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| Thycotic Software_Secret Server | thycotic:syslog | netauth | none |

### Filter type

CEF

### Options

| Variable | default | description |
|----------------|----------------|----------------|

### Verification

An active device will generate frequent events. Use the following search to validate events are present per source device

```
index=<asconfigured> sourcetype=thycotic:syslog | stats count by host
```
1 change: 1 addition & 0 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ nav:
- Broadcom: sources/Broadcom/index.md
- Tanium: sources/Tanium/index.md
- Tenable: sources/Tenable/index.md
- Thycotic: sources/Thycotic/index.md
- Tintri: sources/Tintri/index.md
- Trend: sources/Trend/index.md
- Ubiquiti: sources/Ubiquiti/index.md
Expand Down
18 changes: 18 additions & 0 deletions package/etc/conf.d/conflib/cef/app-cef-thycotic_secret_server.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
block parser cef-thycotic_secret_server-parser() {
channel {
rewrite {
r_set_splunk_dest_default(
index('netauth'),
sourcetype('thycotic:syslog')
);
};

};
};
application cef-thycotic_secret_server[cef] {
filter{
match("Thycotic Software" value("fields.cef_device_vendor"))
and match("Secret Server" value("fields.cef_device_product"));
};
parser { cef-thycotic_secret_server-parser(); };
};

0 comments on commit f3faba5

Please sign in to comment.