Delinea Privileged Access Management¶
About¶
Delinea PAM (Privileged Access Management) is a centralized platform designed to secure and manage privileged accounts across an organization, providing features like just-in-time access, adaptive controls, session recording, and granular policy management, ensuring only authorized users have access to critical systems and data, thereby minimizing the risk of cyber breaches and enhancing overall security posture.
Product Details¶
Vendor URL: Delinea
Product Type: Privileged Access Management
Product Tier: Tier III
Integration Method: Webhook
Integration URL: Generic-webhook-Cyderes Documentation
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: DELINEA_PAM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| _ucid | additional.fields |
| Action.Name | metadata.product_event_type |
| Action.TargetType | target.resource.resource_subtype |
| Action.Verb | metadata.description |
| Actor.Id | principal.user.email_addresses |
| Actor.Id | principal.asset.product_object_id |
| Actor.Name | principal.user.userid |
| Actor.Name | principal.hostname |
| Actor.Name | principal.administrative_domain |
| Actor.Name | principal.user.user_display_name |
| AdditionalAttributes.AuthFactors | additional.fields |
| AdditionalAttributes.AuthMethod | extensions.auth.auth_details |
| AdditionalAttributes.AzDeploymentId | metadata.product_deployment_id |
| AdditionalAttributes.AzRoleId | target.asset.attribute.roles.name |
| AdditionalAttributes.AzRoleName | target.asset.attribute.role.description |
| AdditionalAttributes.DirectoryServicePartnerName | target.application |
| AdditionalAttributes.MfaResult | security_result.action_details |
| AdditionalAttributes.RequestBrowser | network.http.user_agent |
| AuditEventMessageId | metadata.product_log_id |
| Level | security_result.severity_details |
| Machine Name | target.hostname |
| notes.containerName | principal.group.group_display_name |
| notes.eventAction | security_result.action_details |
| notes.eventDetails | security_result.summary |
| notes.itemId | target.resource.id |
| notes.itemName | target.resource.name |
| notes.machineName | observer.hostname |
| Service.Type | principal.application |
| SessionId | network.session_id |
| Source.Host.Network.IpAddress | principal.ip |
| Target Server | target.ip |
| Target.Host.MachineName | target.hostname |
| Target.Host.Network.Port | target.port |
| Target.Id | target.resource.id |
| Target.Id | target.asset.product_object_id |
| Target.Name | target.user.userid |
| Target.Name | target.user.user_display_name |
| Target.Name | target.administrative_domain |
| Target.Type | target.resource.resource_subtype |
| TenantId | additional.fields |
| Version | metadata.product_version |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Folder.Permissions.Updated | RESOURCE_PERMISSIONS_CHANGE |
| Password.UpdateSucceeded | USER_CHANGE_PASSWORD |
| RemoteSession.Launched, Password.Viewed, Secret.Viewed, Secret.PreCheckOutRan, Secret.CheckedOut | RESOURCE_READ |
| Secret.CheckedIn, Secret.PreCheckInRan, Secret.Launched, Secret.EditView.Viewed | RESOURCE_READ |
| RemoteWebSession.Launched | PROCESS_LAUNCH |
| Secret.Created | RESOURCE_CREATION |
| Secret.Updated, Session.Clipboard.Copied | RESOURCE_WRITTEN |
| Session.ClosedByVault, Folder.Deleted | RESOURCE_DELETION |
| User.LoggedIn, MFA.Responded, AuthSession.SessionStart, MultifactorAuth.MfaAuthentication | USER_LOGIN |
| User.LoggedOut, Logout.Completed | USER_LOGOUT |
| User.Updated | USER_CHANGE_PERMISSIONS |
Log Sample¶
{"$type":"Delinea.Auditing.Shared.EventAuditingPackage.AuditEventConsumableModel, Delinea.Auditing.Shared.EventAuditingPackage","Action":{"Name":"Delinea.Vault.User.LoginFailed","TargetType":"","Verb":""},"Actor":{"Id":"Jane.Doe@example.com","IdType":"email","Name":"example.corp\\Jane.Doe","PlatformId":null,"Type":"user"},"AdditionalAttributes":{"$type":"System.Collections.Generic.Dictionary`2[[System.String, System.Private.CoreLib],[System.String[], System.Private.CoreLib]], System.Private.CoreLib","eventmessageguid":["98a34e91-d8af-42cc-b3a6-a5f4e8392246"]},"AuditEventMessageId":"bb05c3f3-00c4-4d26-b4e2-23fed2dd6eb9","CorrelationId":"00000000-0000-0000-0000-000000000000","EventDateTime":"2024-12-04T08:54:15.31+00:00","ExpiresOn":null,"FieldChanges":null,"ForceCompress":false,"Level":0,"MetaData":null,"Notes":"{\"machineName\":\"thy-ssc-backgroundworker-prod-blue-1234abcd-abcde\",\"machineTimeZone\":\"Coordinated Universal Time\",\"product\":\"Secret Server\",\"schemaVersion\":\"https://schema.delinea.app/secretserver/schema.v1.json\",\"itemName\":\"example.corp\\\\Jane.Doe\",\"itemNameForDisplay\":\"example.corp\\\\Jane Doe\",\"byUser\":\"example.corp\\\\Jane.Doe\",\"byUserDisplayName\":\"example.corp\\\\Jane Doe\",\"delegatedUserName\":null,\"delegatedUserDisplayName\":null,\"byUserEmailAddress\":null,\"delegatedUserPlatformId\":null,\"eventAction\":\"LOGINFAILURE\",\"eventEntityType\":\"USER\",\"containerName\":null,\"byUserPlatformId\":null,\"eventLevel\":2,\"itemPlatformId\":null,\"targetUserId\":null,\"targetUserName\":null,\"targetUserDisplayName\":null,\"targetUserPlatformId\":null,\"eventQueueId\":2219474,\"eventEntityTypeId\":1,\"eventActionId\":18,\"userId\":0,\"delegatedUserId\":null,\"itemId\":227,\"containerId\":0,\"eventTime\":\"0001-01-01T00:00:00\",\"eventDetails\":\"AuthenticationFailed\",\"ipAddress\":\"10.190.33.30\",\"eventDataObject\":null,\"additionalData\":null,\"additionalDataDictionary\":{},\"fieldChangesCollection\":null}","ParentCorrelationId":"00000000-0000-0000-0000-000000000000","ProcessedTime":"0001-01-01T00:00:00+00:00","Redelivered":false,"RelayEvenIfExpired":false,"RiskData":{"$type":"Delinea.Auditing.Shared.EventAuditingPackage.RiskData, Delinea.Auditing.Shared.EventAuditingPackage","AdditionalAttributes":{"$type":"System.Collections.Generic.Dictionary`2[[System.String, System.Private.CoreLib],[System.Object, System.Private.CoreLib]], System.Private.CoreLib"},"Factors":[],"IpAddress":null,"Level":0,"ModelTag":"","RiskReason":"","Score":0,"Version":"1.0"},"RoutingKeySegments":null,"Service":{"Type":"Secret Server"},"SessionId":null,"Source":{"Host":{"Network":{"AddressType":"ipaddress","IpAddress":"10.190.33.30"}}},"Tags":{"$type":"System.Collections.Generic.Dictionary`2[[System.String, System.Private.CoreLib],[System.String[], System.Private.CoreLib]], System.Private.CoreLib"},"Target":{"Host":{"$type":"Delinea.Auditing.Shared.EventAuditingPackage.Host, Delinea.Auditing.Shared.EventAuditingPackage","Client":null,"MachineName":null,"Network":null},"Id":null,"IdType":null,"Name":"example.corp\\Jane.Doe","Type":"USER"},"TenantId":"72cf7a20-0a40-414f-8507-b847409bbae3","TenantSecondaryId":"72cf7a20-0a40-414f-8507-b847409bbae3","UniqueConsumableId":null,"Version":0,"_ucid":"0c49717f-9f24-423f-a118-b2ce72739416"}
Sample Parsing¶
additional.fields["TenantId"] = "72cf7a20-0a40-414f-8507-b847409bbae3"
additional.fields["UCID"] = "0c49717f-9f24-423f-a118-b2ce72739416"
metadata.event_type = "USER_LOGIN"
metadata.log_type = "DELINEA_PAM"
metadata.product_event_type = "Delinea.Vault.User.LoginFailed"
metadata.product_log_id = "bb05c3f3-00c4-4d26-b4e2-23fed2dd6eb9"
metadata.product_name = "PAM"
metadata.product_version = "0"
metadata.vendor_name = "Delinea"
observer.hostname = "thy-ssc-backgroundworker-prod-blue-1234abcd-abcde"
principal.administrative_domain = "example.corp"
principal.application = "Secret Server"
principal.ip = "10.190.33.30"
principal.user.email_addresses = "Jane.Doe@example.com"
principal.user.user_display_name = "Jane.Doe"
principal.user.userid = "example.corp\\Jane.Doe"
security_result.action_details = "LOGINFAILURE"
security_result.action = "BLOCK"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "0"
security_result.summary = "AuthenticationFailed"
target.administrative_domain = "example.corp"
target.user.user_display_name = "Jane.Doe"
target.user.userid = "example.corp\\Jane.Doe"