Delinea Platform Audit Logs
Overview
Delinea Platform is a secure session‐broker solution that lets organizations grant, monitor and audit elevated RDP, SSH and SFTP connections to critical systems without exposing underlying credentials to end users. PRA integrates with your vault, identity providers and SIEMs to enforce just-in-time, least-privilege access policies, record every keystroke and file transfer, and stream real-time audit events for compliance and threat detection. By isolating sessions, injecting credentials on the fly and capturing detailed forensic logs, Delinea Platform reduces risk from shared accounts, lateral movement and credential theft while delivering complete visibility into who accessed what, when and how.
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
- Vendor: Delinea
- Supported environment: SaaS
- Detection based on: Audit events
- Supported application or feature:
- Remote Access logs
- Vault Secret logs
Configure
This setup guide will show you how to forward your Delinea logs to Sekoia.io.
Create a Role
- Log in the Delinea Plaftorm Admin Portal.
-
Go to
Access>Roles.
-
Click
Add Role
-
Select
Add New Custom RoleasRole Type - Name the Role (e.g.,
API Service Audit Role). - Describe the Role (optional).
-
Click
Save
-
Click the
Permissionstab.
-
Select
Read Audit eventsin the list of permissions. -
Click
Assign
Create a Group
-
In the Delinea PRA Admin Portal, go to
Access>Groups.
-
Click
Add Group
-
Name the Group (e.g.,
API Service Audit Group). - Describe the Group (optional).
-
Click
Save
-
Click on the new group
-
Go to the
Rolestab.
-
Click
Assign Role
-
Select the previously created Role (e.g.,
API Service Audit Role). -
Click
Assign.
Create a user
-
In the Delinea PRA Admin Portal, go to
Access>Users.
-
Click
More>Add service user.
-
Name the user (e.g.,
API Service Audit User). - Type an email address.
- Type a display name.
- Select
Generatedor type a password. - Save the password somewhere safe.
-
Click
Next.
-
Select the previously created Group (e.g.,
API Service Audit Group). -
Click
Add.
Create an intake
- Go to the intake page and create a new intake from the format
Delinea PRA. - Set up the intake configuration with the base url, the username as
client idand the password asclient_secretof the previously created service user.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Host network interface |
None |
Network device logs |
None |
Network protocol analysis |
None |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | network |
| Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\n \"Date\": \"2025-08-18T15:01:42.7166877+00:00\",\n \"Service\": \"Remote Access\",\n \"Level\": \"PrivilegedActivity\",\n \"Event type\": \"Delinea.RAS.Session.Secret.Launched\",\n \"Action\": \"Launched by user jdoe@test.test.com from secret test-TEST-00-0000 (test-TEST-00-0000) as testUser to test-TEST-00-0000:22 at Delinea_Integration_test_test using ssh.\",\n \"Initiated by\": \"jdoe\",\n \"Target\": \"test-TEST-00-0000\",\n \"Source\": \"test-Source-ADDR\",\n \"Field changes\": \"\"\n }",
"event": {
"action": "Delinea.RAS.Session.Secret.Launched",
"category": [
"network"
],
"reason": "Launched by user jdoe@test.test.com from secret test-TEST-00-0000 (test-TEST-00-0000) as testUser to test-TEST-00-0000:22 at Delinea_Integration_test_test using ssh.",
"type": [
"info"
]
},
"@timestamp": "2025-08-18T15:01:42.716687Z",
"destination": {
"address": "test-TEST-00-0000"
},
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"address": "test-Source-ADDR",
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\n \"Date\": \"2025-08-18T14:56:06.5636088+00:00\",\n \"Service\": \"Remote Access\",\n \"Level\": \"PrivilegedActivity\",\n \"Event type\": \"Delinea.RAS.Site.Queried\",\n \"Action\": \"Sites retrieved by user jdoe@test.test.com.\",\n \"Initiated by\": \"jdoe\",\n \"Target\": \"\",\n \"Source\": \"\",\n \"Field changes\": \"\"\n }",
"event": {
"action": "Delinea.RAS.Site.Queried",
"category": [
"network"
],
"reason": "Sites retrieved by user jdoe@test.test.com.",
"type": [
"info"
]
},
"@timestamp": "2025-08-18T14:56:06.563608Z",
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\n \"Date\": \"2025-08-18T14:48:49.3009467+00:00\",\n \"Service\": \"Remote Access\",\n \"Level\": \"PrivilegedActivity\",\n \"Event type\": \"Delinea.RAS.Session.ClosedByTimeout\",\n \"Action\": \"Session closed by system after timing out.\",\n \"Initiated by\": \"Delinea System\",\n \"Target\": \"test-TEST-00-0000\",\n \"Source\": \"\",\n \"Field changes\": \"\"\n }",
"event": {
"action": "Delinea.RAS.Session.ClosedByTimeout",
"category": [
"network"
],
"reason": "Session closed by system after timing out.",
"type": [
"info"
]
},
"@timestamp": "2025-08-18T14:48:49.300946Z",
"destination": {
"address": "test-TEST-00-0000"
},
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"Delinea System"
]
},
"source": {
"user": {
"name": "Delinea System"
}
}
}
{
"message": "{\n \"Date\": \"2025-08-18T14:41:30.7449045+00:00\",\n \"Service\": \"Remote Access\",\n \"Level\": \"PrivilegedActivity\",\n \"Event type\": \"Delinea.RAS.Session.Clipboard.SentToTarget\",\n \"Action\": \"Clipboard data is sent to target by user jdoe@test.test.com.\",\n \"Initiated by\": \"jdoe\",\n \"Target\": \"test-TEST-00-0000\",\n \"Source\": \"\",\n \"Field changes\": \"\"\n }",
"event": {
"action": "Delinea.RAS.Session.Clipboard.SentToTarget",
"category": [
"network"
],
"reason": "Clipboard data is sent to target by user jdoe@test.test.com.",
"type": [
"info"
]
},
"@timestamp": "2025-08-18T14:41:30.744904Z",
"destination": {
"address": "test-TEST-00-0000"
},
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\n \"Date\": \"2025-08-18T14:40:59.1695664+00:00\",\n \"Service\": \"Remote Access\",\n \"Level\": \"PrivilegedActivity\",\n \"Event type\": \"Delinea.RAS.Session.Secret.Launched\",\n \"Action\": \"Launched by user jdoe@test.test.com from secret test-TEST-00-0000 (test-TEST-00-0000) as testUser to test-TEST-00-0000:22 at Delinea_Integration_test_LKA using ssh.\",\n \"Initiated by\": \"jdoe\",\n \"Target\": \"test-TEST-00-0000\",\n \"Source\": \"\",\n \"Field changes\": \"\"\n }",
"event": {
"action": "Delinea.RAS.Session.Secret.Launched",
"category": [
"network"
],
"reason": "Launched by user jdoe@test.test.com from secret test-TEST-00-0000 (test-TEST-00-0000) as testUser to test-TEST-00-0000:22 at Delinea_Integration_test_LKA using ssh.",
"type": [
"info"
]
},
"@timestamp": "2025-08-18T14:40:59.169566Z",
"destination": {
"address": "test-TEST-00-0000"
},
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"eventMessageId\":\"00000000-0000-0000-0000-000000000001\",\"tenantId\":\"00000000-0000-0000-0000-000000000002\",\"notes\":\"{\\\"machineName\\\":\\\"anon-worker-12345\\\",\\\"machineTimeZone\\\":\\\"Coordinated Universal Time\\\",\\\"product\\\":\\\"Secret Server\\\",\\\"schemaVersion\\\":\\\"https://schema.delinea.app/secretserver/schema.v1.json\\\",\\\"itemName\\\":\\\"item_anon\\\",\\\"itemNameForDisplay\\\":\\\"item_anon\\\",\\\"byUser\\\":\\\"user@example.com\\\",\\\"byUserDisplayName\\\":\\\"API User\\\",\\\"delegatedUserName\\\":\\\"delegated_user\\\",\\\"delegatedUserDisplayName\\\":\\\"Delegated User\\\",\\\"byUserEmailAddress\\\":\\\"byuser@example.com\\\",\\\"delegatedUserPlatformId\\\":\\\"delegated-platform-1\\\",\\\"eventAction\\\":\\\"LAUNCH\\\",\\\"eventEntityType\\\":\\\"SECRET\\\",\\\"containerName\\\":\\\"anon_container\\\",\\\"byUserPlatformId\\\":\\\"platform-123\\\",\\\"eventLevel\\\":2,\\\"itemPlatformId\\\":\\\"item-platform-1\\\",\\\"targetUserId\\\":\\\"target-user-1\\\",\\\"targetUserName\\\":\\\"target_user\\\",\\\"targetUserDisplayName\\\":\\\"Target User\\\",\\\"targetUserPlatformId\\\":\\\"target-platform-1\\\",\\\"eventQueueId\\\":9999,\\\"eventEntityTypeId\\\":10001,\\\"eventActionId\\\":10006,\\\"userId\\\":0,\\\"delegatedUserId\\\":\\\"delegated-id-1\\\",\\\"itemId\\\":123,\\\"containerId\\\":111,\\\"eventTime\\\":\\\"0001-01-01T00:00:00\\\",\\\"eventDetails\\\":\\\"Remote Desktop Host: [anon_host] Username: [anon_user] Account Name: anon_account Target Server: anon_host \\\",\\\"ipAddress\\\":\\\"10.0.0.1\\\",\\\"eventDataObject\\\":\\\"dummy_event_data\\\",\\\"additionalData\\\":\\\"dummy_additional_data\\\",\\\"additionalDataDictionary\\\":{\\\"key\\\":\\\"value\\\"},\\\"fieldChangesCollection\\\":\\\"dummy_field_changes\\\"}\",\"fieldChanges\":\"dummy_field_changes\",\"displayMessage\":\"A secret was launched by user@example.com.\",\"level\":\"PrivilegedActivity\",\"eventDateTime\":\"2025-09-18T13:34:17.603+00:00\",\"tags\":[\"tag1\",\"tag2\"],\"analyticData\":\"dummy_analytic_data\",\"sessionId\":\"dummy_session_id\",\"isSystem\":false,\"service\":{\"type\":\"Secret Server\",\"version\":\"11.7.000055\",\"identifier\":\"00000000-0000-0000-0000-000000000003\"},\"source\":{\"host\":{\"machineName\":\"anon-machine\",\"network\":{\"id\":\"network-id-1\",\"name\":\"anon-network\",\"address\":\"192.168.0.10\",\"addressType\":\"ipaddress\",\"domain\":\"anon.local\",\"ipAddress\":\"10.0.0.1\",\"socket\":\"socket-1\",\"macAddress\":\"00:11:22:33:44:55\",\"port\":443,\"lon\":12.34,\"lat\":56.78,\"geo\":{\"cityName\":\"Anon City\",\"countryIsoCode\":\"AN\",\"timeZone\":\"UTC\"},\"carrier\":\"AnonCarrier\"},\"client\":\"anon-client\"},\"displayName\":\"anon-source\",\"id\":\"source-id-1\",\"platformId\":\"platform-source-1\",\"internalId\":\"internal-source-1\",\"idType\":\"source-type\",\"type\":\"source\",\"name\":\"source-name\",\"additionalAttributes\":{\"attr\":\"dummy\"}},\"actor\":{\"displayName\":\"API User\",\"email\":\"user@example.com\",\"delegatedUserId\":\"delegated-user-id\",\"delegatedUserPlatformId\":\"delegated-platform-id\",\"delegatedUserName\":\"delegated_user\",\"id\":\"00000000-0000-0000-0000-000000000004\",\"platformId\":\"00000000-0000-0000-0000-000000000004\",\"internalId\":\"5\",\"idType\":\"platformid\",\"type\":\"user\",\"name\":\"user@example.com\",\"additionalAttributes\":{\"role\":\"admin\"}},\"target\":{\"host\":{\"machineName\":\"target-machine\",\"network\":{\"id\":\"network-id-2\",\"name\":\"target-network\",\"address\":\"192.168.0.20\",\"addressType\":\"ipaddress\",\"domain\":\"target.local\",\"ipAddress\":\"10.0.0.2\",\"socket\":\"socket-2\",\"macAddress\":\"66:77:88:99:AA:BB\",\"port\":3389,\"lon\":98.76,\"lat\":54.32,\"geo\":{\"cityName\":\"Target City\",\"countryIsoCode\":\"TC\",\"timeZone\":\"UTC+1\"},\"carrier\":\"TargetCarrier\"},\"client\":\"target-client\"},\"displayName\":\"5\",\"containerId\":\"target-container-1\",\"containerName\":\"target-container\",\"containerType\":\"SECRET\",\"id\":\"5\",\"platformId\":\"target-platform-1\",\"internalId\":\"target-internal-1\",\"idType\":\"target-type\",\"type\":\"SECRET\",\"name\":\"5\",\"additionalAttributes\":{\"info\":\"dummy_target_info\"}},\"eventType\":{\"name\":\"Delinea.Vault.Secret.RemoteSession.Launched\",\"internalName\":\"10006\",\"account\":\"dummy_account\",\"verb\":\"dummy_verb\",\"targetType\":\"dummy_target_type\",\"level\":\"SecurityAudit\",\"additionalAttributes\":{\"extra\":\"dummy_event_attr\"}},\"processedTime\":\"2025-09-18T13:34:57.157974+00:00\",\"additionalAttributes\":{\"eventmessageguid\":[\"00000000-0000-0000-0000-000000000005\"],\"customAttr\":\"dummy_attr\"}}",
"event": {
"action": "Delinea.Vault.Secret.RemoteSession.Launched",
"category": [
"process"
],
"dataset": "SecurityAudit",
"kind": "alert",
"provider": "Secret Server",
"reason": "A secret was launched by user@example.com.",
"type": [
"start"
]
},
"@timestamp": "2025-09-18T13:34:17.603000Z",
"destination": {
"address": "target-container",
"domain": "target-container",
"port": 3389
},
"host": {
"hostname": "anon-machine",
"ip": "10.0.0.1",
"name": "source-name"
},
"log": {
"level": "PrivilegedActivity"
},
"network": {
"transport": "ipaddress"
},
"observer": {
"product": "Delinea PRA",
"serial_number": "00000000-0000-0000-0000-000000000003",
"type": "Secret Server",
"vendor": "Delinea",
"version": "11.7.000055"
},
"organization": {
"id": "00000000-0000-0000-0000-000000000002"
},
"related": {
"hosts": [
"anon-machine",
"anon.local",
"target-container"
],
"ip": [
"10.0.0.1"
],
"user": [
"user@example.com"
]
},
"source": {
"address": "anon.local",
"domain": "anon.local",
"geo": {
"city_name": "Anon City",
"country_iso_code": "AN",
"timezone": "UTC"
},
"ip": "10.0.0.1",
"mac": "00:11:22:33:44:55",
"port": 443,
"subdomain": "anon"
},
"user": {
"email": "user@example.com",
"full_name": "API User",
"name": "user@example.com"
}
}
{
"message": "{\n \"eventMessageId\": \"00000000-0000-0000-0000-000000000001\",\n \"tenantId\": \"00000000-0000-0000-0000-000000000010\",\n \"notes\": \"{\\\"machineName\\\":\\\"anon-worker-1\\\",\\\"machineTimeZone\\\":\\\"Coordinated Universal Time\\\",\\\"product\\\":\\\"Secret Server\\\",\\\"schemaVersion\\\":\\\"https://schema.delinea.app/secretserver/schema.v1.json\\\",\\\"itemName\\\":\\\"item_anon\\\",\\\"itemNameForDisplay\\\":\\\"item_anon\\\",\\\"byUser\\\":\\\"user@example.com\\\",\\\"byUserDisplayName\\\":\\\"API User\\\",\\\"delegatedUserName\\\":null,\\\"delegatedUserDisplayName\\\":null,\\\"byUserEmailAddress\\\":null,\\\"delegatedUserPlatformId\\\":null,\\\"eventAction\\\":\\\"LAUNCH\\\",\\\"eventEntityType\\\":\\\"SECRET\\\",\\\"containerName\\\":null,\\\"byUserPlatformId\\\":null,\\\"eventLevel\\\":2,\\\"itemPlatformId\\\":null,\\\"targetUserId\\\":null,\\\"targetUserName\\\":null,\\\"targetUserDisplayName\\\":null,\\\"targetUserPlatformId\\\":null,\\\"eventQueueId\\\":1008,\\\"eventEntityTypeId\\\":10001,\\\"eventActionId\\\":10006,\\\"userId\\\":0,\\\"delegatedUserId\\\":null,\\\"itemId\\\":4,\\\"containerId\\\":0,\\\"eventTime\\\":\\\"0001-01-01T00:00:00\\\",\\\"eventDetails\\\":\\\"PuTTY Host: [anon-host] Username: [anon_user] Account Name: anon_account Target Server: anon-host\\\",\\\"ipAddress\\\":\\\"10.0.0.1\\\",\\\"eventDataObject\\\":null,\\\"additionalData\\\":null,\\\"additionalDataDictionary\\\":{},\\\"fieldChangesCollection\\\":null}\",\n \"fieldChanges\": null,\n \"displayMessage\": \"A secret was launched by user@example.com.\",\n \"level\": \"PrivilegedActivity\",\n \"eventDateTime\": \"2025-09-18T13:32:42.21+00:00\",\n \"tags\": null,\n \"analyticData\": null,\n \"sessionId\": null,\n \"isSystem\": false,\n \"service\": {\n \"type\": \"Secret Server\",\n \"version\": \"11.7.000055\",\n \"identifier\": \"00000000-0000-0000-0000-000000000020\"\n },\n \"source\": {\n \"host\": {\n \"machineName\": null,\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": \"ipaddress\",\n \"domain\": null,\n \"ipAddress\": \"10.0.0.1\",\n \"socket\": null,\n \"macAddress\": null,\n \"port\": null,\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": null\n },\n \"displayName\": null,\n \"id\": null,\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": null,\n \"name\": null,\n \"additionalAttributes\": null\n },\n \"actor\": {\n \"displayName\": \"API User\",\n \"email\": \"user@example.com\",\n \"delegatedUserId\": null,\n \"delegatedUserPlatformId\": null,\n \"delegatedUserName\": null,\n \"id\": \"00000000-0000-0000-0000-000000000030\",\n \"platformId\": \"00000000-0000-0000-0000-000000000030\",\n \"internalId\": \"5\",\n \"idType\": \"platformid\",\n \"type\": \"user\",\n \"name\": \"user@example.com\",\n \"additionalAttributes\": null\n },\n \"target\": {\n \"host\": {\n \"machineName\": null,\n \"network\": null,\n \"client\": null\n },\n \"displayName\": \"4\",\n \"containerId\": null,\n \"containerName\": null,\n \"containerType\": null,\n \"id\": \"4\",\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": \"SECRET\",\n \"name\": \"4\",\n \"additionalAttributes\": null\n },\n \"eventType\": {\n \"name\": \"Delinea.Vault.Secret.RemoteSession.Launched\",\n \"internalName\": \"10006\",\n \"account\": null,\n \"verb\": null,\n \"targetType\": null,\n \"level\": \"SecurityAudit\",\n \"additionalAttributes\": null\n },\n \"processedTime\": \"2025-09-18T13:32:52.1991369+00:00\",\n \"additionalAttributes\": {\n \"eventmessageguid\": [\"00000000-0000-0000-0000-000000000040\"]\n }\n}",
"event": {
"action": "Delinea.Vault.Secret.RemoteSession.Launched",
"category": [
"process"
],
"dataset": "SecurityAudit",
"kind": "alert",
"provider": "Secret Server",
"reason": "A secret was launched by user@example.com.",
"type": [
"start"
]
},
"@timestamp": "2025-09-18T13:32:42.210000Z",
"host": {
"ip": "10.0.0.1"
},
"log": {
"level": "PrivilegedActivity"
},
"network": {
"transport": "ipaddress"
},
"observer": {
"product": "Delinea PRA",
"serial_number": "00000000-0000-0000-0000-000000000020",
"type": "Secret Server",
"vendor": "Delinea",
"version": "11.7.000055"
},
"organization": {
"id": "00000000-0000-0000-0000-000000000010"
},
"related": {
"ip": [
"10.0.0.1"
],
"user": [
"user@example.com"
]
},
"source": {
"address": "10.0.0.1",
"ip": "10.0.0.1"
},
"user": {
"email": "user@example.com",
"full_name": "API User",
"name": "user@example.com"
}
}
{
"message": "{\n \"eventMessageId\": \"00000000-0000-0000-0000-000000000002\",\n \"tenantId\": \"00000000-0000-0000-0000-000000000010\",\n \"notes\": \"{\\\"machineName\\\":\\\"anon-worker-1\\\",\\\"machineTimeZone\\\":\\\"Coordinated Universal Time\\\",\\\"product\\\":\\\"Secret Server\\\",\\\"schemaVersion\\\":\\\"https://schema.delinea.app/secretserver/schema.v1.json\\\",\\\"itemName\\\":\\\"item_anon\\\",\\\"itemNameForDisplay\\\":\\\"item_anon\\\",\\\"byUser\\\":\\\"user@example.com\\\",\\\"byUserDisplayName\\\":\\\"API User\\\",\\\"delegatedUserName\\\":null,\\\"delegatedUserDisplayName\\\":null,\\\"byUserEmailAddress\\\":null,\\\"delegatedUserPlatformId\\\":null,\\\"eventAction\\\":\\\"VIEW\\\",\\\"eventEntityType\\\":\\\"SECRET\\\",\\\"containerName\\\":null,\\\"byUserPlatformId\\\":null,\\\"eventLevel\\\":2,\\\"itemPlatformId\\\":null,\\\"targetUserId\\\":null,\\\"targetUserName\\\":null,\\\"targetUserDisplayName\\\":null,\\\"targetUserPlatformId\\\":null,\\\"eventQueueId\\\":1007,\\\"eventEntityTypeId\\\":10001,\\\"eventActionId\\\":10004,\\\"userId\\\":0,\\\"delegatedUserId\\\":null,\\\"itemId\\\":4,\\\"containerId\\\":0,\\\"eventTime\\\":\\\"0001-01-01T00:00:00\\\",\\\"eventDetails\\\":\\\"Account Name: anon_account Target Server: anon-host\\\",\\\"ipAddress\\\":\\\"10.0.0.1\\\",\\\"eventDataObject\\\":null,\\\"additionalData\\\":null,\\\"additionalDataDictionary\\\":{},\\\"fieldChangesCollection\\\":null}\",\n \"fieldChanges\": null,\n \"displayMessage\": \"Secret was viewed by user@example.com.\",\n \"level\": \"PrivilegedActivity\",\n \"eventDateTime\": \"2025-09-18T13:32:31.883+00:00\",\n \"tags\": null,\n \"analyticData\": null,\n \"sessionId\": null,\n \"isSystem\": false,\n \"service\": {\n \"type\": \"Secret Server\",\n \"version\": \"11.7.000055\",\n \"identifier\": \"00000000-0000-0000-0000-000000000020\"\n },\n \"source\": {\n \"host\": {\n \"machineName\": null,\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": \"ipaddress\",\n \"domain\": null,\n \"ipAddress\": \"10.0.0.1\",\n \"socket\": null,\n \"macAddress\": null,\n \"port\": null,\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": null\n },\n \"displayName\": null,\n \"id\": null,\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": null,\n \"name\": null,\n \"additionalAttributes\": null\n },\n \"actor\": {\n \"displayName\": \"API User\",\n \"email\": \"user@example.com\",\n \"delegatedUserId\": null,\n \"delegatedUserPlatformId\": null,\n \"delegatedUserName\": null,\n \"id\": \"00000000-0000-0000-0000-000000000030\",\n \"platformId\": \"00000000-0000-0000-0000-000000000030\",\n \"internalId\": \"5\",\n \"idType\": \"platformid\",\n \"type\": \"user\",\n \"name\": \"user@example.com\",\n \"additionalAttributes\": null\n },\n \"target\": {\n \"host\": {\n \"machineName\": null,\n \"network\": null,\n \"client\": null\n },\n \"displayName\": \"4\",\n \"containerId\": null,\n \"containerName\": null,\n \"containerType\": null,\n \"id\": \"4\",\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": \"SECRET\",\n \"name\": \"4\",\n \"additionalAttributes\": null\n },\n \"eventType\": {\n \"name\": \"Delinea.Vault.Secret.Viewed\",\n \"internalName\": \"10004\",\n \"account\": null,\n \"verb\": null,\n \"targetType\": null,\n \"level\": \"PrivilegedActivity\",\n \"additionalAttributes\": null\n },\n \"processedTime\": \"2025-09-18T13:32:52.1211584+00:00\",\n \"additionalAttributes\": {\n \"eventmessageguid\": [\"00000000-0000-0000-0000-000000000041\"]\n }\n}",
"event": {
"action": "Delinea.Vault.Secret.Viewed",
"category": [
"configuration"
],
"dataset": "PrivilegedActivity",
"provider": "Secret Server",
"reason": "Secret was viewed by user@example.com.",
"type": [
"access"
]
},
"@timestamp": "2025-09-18T13:32:31.883000Z",
"host": {
"ip": "10.0.0.1"
},
"log": {
"level": "PrivilegedActivity"
},
"network": {
"transport": "ipaddress"
},
"observer": {
"product": "Delinea PRA",
"serial_number": "00000000-0000-0000-0000-000000000020",
"type": "Secret Server",
"vendor": "Delinea",
"version": "11.7.000055"
},
"organization": {
"id": "00000000-0000-0000-0000-000000000010"
},
"related": {
"ip": [
"10.0.0.1"
],
"user": [
"user@example.com"
]
},
"source": {
"address": "10.0.0.1",
"ip": "10.0.0.1"
},
"user": {
"email": "user@example.com",
"full_name": "API User",
"name": "user@example.com"
}
}
{
"message": "{\n \"eventMessageId\": \"00000000-0000-0000-0000-000000000003\",\n \"tenantId\": \"00000000-0000-0000-0000-000000000010\",\n \"notes\": null,\n \"fieldChanges\": null,\n \"displayMessage\": \"Session closed by system after timing out.\",\n \"level\": \"PrivilegedActivity\",\n \"eventDateTime\": \"2025-09-18T13:26:19.6589051+00:00\",\n \"tags\": null,\n \"analyticData\": null,\n \"sessionId\": null,\n \"isSystem\": true,\n \"service\": {\n \"type\": \"Remote Access\",\n \"version\": null,\n \"identifier\": null\n },\n \"source\": {\n \"host\": {\n \"machineName\": null,\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": null,\n \"domain\": null,\n \"ipAddress\": \"10.0.0.1\",\n \"socket\": null,\n \"macAddress\": null,\n \"port\": null,\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": {\n \"type\": \"http\",\n \"operatingSystem\": null,\n \"mobileApp\": null,\n \"userAgent\": \"Mozilla/5.0 (AnonOS)\"\n }\n },\n \"displayName\": \"10.0.0.1\",\n \"id\": null,\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": \"http-client\",\n \"name\": null,\n \"additionalAttributes\": null\n },\n \"actor\": {\n \"displayName\": \"System User\",\n \"email\": null,\n \"delegatedUserId\": null,\n \"delegatedUserPlatformId\": null,\n \"delegatedUserName\": null,\n \"id\": \"00000000-0000-0000-0000-000000000050\",\n \"platformId\": \"00000000-0000-0000-0000-000000000050\",\n \"internalId\": null,\n \"idType\": \"platformid\",\n \"type\": \"system\",\n \"name\": \"systemuser\",\n \"additionalAttributes\": null\n },\n \"target\": {\n \"host\": {\n \"machineName\": \"anon-host\",\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": null,\n \"domain\": null,\n \"ipAddress\": null,\n \"socket\": null,\n \"macAddress\": null,\n \"port\": \"22\",\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": null\n },\n \"displayName\": \"anon-host\",\n \"containerId\": null,\n \"containerName\": null,\n \"containerType\": null,\n \"id\": \"anon-host\",\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": \"hostname\",\n \"type\": \"machine\",\n \"name\": \"anon-host\",\n \"additionalAttributes\": {\n \"protocol\": [\"ssh\"],\n \"secret_id\": [\"4\"],\n \"secret_name\": [\"item_anon\"],\n \"site_id\": [\"00000000-0000-0000-0000-000000000060\"],\n \"site_name\": [\"Anon_Site\"],\n \"user_name\": [\"user@example.com\"]\n }\n },\n \"eventType\": {\n \"name\": \"Delinea.RAS.Session.ClosedByTimeout\",\n \"internalName\": \"\",\n \"account\": null,\n \"verb\": null,\n \"targetType\": null,\n \"level\": \"PrivilegedActivity\",\n \"additionalAttributes\": null\n },\n \"processedTime\": \"2025-09-18T13:26:19.9443601+00:00\",\n \"additionalAttributes\": {\n \"tunnelId\": [\"00000000-0000-0000-0000-000000000061\"]\n }\n}",
"event": {
"action": "Delinea.RAS.Session.ClosedByTimeout",
"category": [
"authentication"
],
"dataset": "PrivilegedActivity",
"provider": "Remote Access",
"reason": "Session closed by system after timing out.",
"type": [
"end"
]
},
"@timestamp": "2025-09-18T13:26:19.658905Z",
"destination": {
"port": 22
},
"host": {
"ip": "10.0.0.1"
},
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"type": "Remote Access",
"vendor": "Delinea"
},
"organization": {
"id": "00000000-0000-0000-0000-000000000010"
},
"related": {
"ip": [
"10.0.0.1"
],
"user": [
"systemuser"
]
},
"source": {
"address": "10.0.0.1",
"ip": "10.0.0.1"
},
"user": {
"full_name": "System User",
"name": "systemuser"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "Mozilla/5.0 (AnonOS)",
"os": {
"name": "Other"
}
}
}
{
"message": "{\n \"eventMessageId\": \"00000000-0000-0000-0000-000000000003\",\n \"tenantId\": \"00000000-0000-0000-0000-000000000010\",\n \"notes\": null,\n \"fieldChanges\": null,\n \"displayMessage\": \"Session closed by system after timing out.\",\n \"level\": \"PrivilegedActivity\",\n \"eventDateTime\": \"2025-09-18T13:26:19.6589051+00:00\",\n \"tags\": null,\n \"analyticData\": null,\n \"sessionId\": null,\n \"isSystem\": true,\n \"service\": {\n \"type\": \"Remote Access\",\n \"version\": null,\n \"identifier\": null\n },\n \"source\": {\n \"host\": {\n \"machineName\": null,\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": null,\n \"domain\": null,\n \"ipAddress\": \"10.0.0.1\",\n \"socket\": null,\n \"macAddress\": null,\n \"port\": null,\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": {\n \"type\": \"http\",\n \"operatingSystem\": null,\n \"mobileApp\": null,\n \"userAgent\": \"Mozilla/5.0 (AnonOS)\"\n }\n },\n \"displayName\": \"10.0.0.1\",\n \"id\": null,\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": \"http-client\",\n \"name\": null,\n \"additionalAttributes\": null\n },\n \"actor\": {\n \"displayName\": \"System User\",\n \"email\": null,\n \"delegatedUserId\": null,\n \"delegatedUserPlatformId\": null,\n \"delegatedUserName\": null,\n \"id\": \"00000000-0000-0000-0000-000000000050\",\n \"platformId\": \"00000000-0000-0000-0000-000000000050\",\n \"internalId\": null,\n \"idType\": \"platformid\",\n \"type\": \"system\",\n \"name\": \"systemuser\",\n \"additionalAttributes\": null\n },\n \"target\": {\n \"host\": {\n \"machineName\": \"anon-host\",\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": null,\n \"domain\": null,\n \"ipAddress\": null,\n \"socket\": null,\n \"macAddress\": null,\n \"port\": \"22\",\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": null\n },\n \"displayName\": \"anon-host\",\n \"containerId\": null,\n \"containerName\": null,\n \"containerType\": null,\n \"id\": \"anon-host\",\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": \"hostname\",\n \"type\": \"machine\",\n \"name\": \"anon-host\",\n \"additionalAttributes\": {\n \"protocol\": [\"ssh\"],\n \"secret_id\": [\"4\"],\n \"secret_name\": [\"item_anon\"],\n \"site_id\": [\"00000000-0000-0000-0000-000000000060\"],\n \"site_name\": [\"Anon_Site\"],\n \"user_name\": [\"user@example.com\"]\n }\n },\n \"eventType\": {\n \"name\": \"Delinea.RAS.Session.ClosedByTimeout\",\n \"internalName\": \"\",\n \"account\": null,\n \"verb\": null,\n \"targetType\": null,\n \"level\": \"PrivilegedActivity\",\n \"additionalAttributes\": null\n },\n \"processedTime\": \"2025-09-18T13:26:19.9443601+00:00\",\n \"additionalAttributes\": {\n \"tunnelId\": [\"00000000-0000-0000-0000-000000000061\"]\n }\n}",
"event": {
"action": "Delinea.RAS.Session.ClosedByTimeout",
"category": [
"authentication"
],
"dataset": "PrivilegedActivity",
"provider": "Remote Access",
"reason": "Session closed by system after timing out.",
"type": [
"end"
]
},
"@timestamp": "2025-09-18T13:26:19.658905Z",
"destination": {
"port": 22
},
"host": {
"ip": "10.0.0.1"
},
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"type": "Remote Access",
"vendor": "Delinea"
},
"organization": {
"id": "00000000-0000-0000-0000-000000000010"
},
"related": {
"ip": [
"10.0.0.1"
],
"user": [
"systemuser"
]
},
"source": {
"address": "10.0.0.1",
"ip": "10.0.0.1"
},
"user": {
"full_name": "System User",
"name": "systemuser"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "Mozilla/5.0 (AnonOS)",
"os": {
"name": "Other"
}
}
}
{
"message": "{\n \"eventMessageId\": \"00000000-0000-0000-0000-000000000004\",\n \"tenantId\": \"00000000-0000-0000-0000-000000000010\",\n \"notes\": \"{\\\"machineName\\\":\\\"anon-worker-2\\\",\\\"machineTimeZone\\\":\\\"Coordinated Universal Time\\\",\\\"product\\\":\\\"Secret Server\\\",\\\"schemaVersion\\\":\\\"https://schema.delinea.app/secretserver/schema.v1.json\\\",\\\"itemName\\\":\\\"item_anon\\\",\\\"itemNameForDisplay\\\":\\\"item_anon\\\",\\\"byUser\\\":\\\"user@example.com\\\",\\\"byUserDisplayName\\\":\\\"API User\\\",\\\"delegatedUserName\\\":null,\\\"delegatedUserDisplayName\\\":null,\\\"byUserEmailAddress\\\":null,\\\"delegatedUserPlatformId\\\":null,\\\"eventAction\\\":\\\"LAUNCH\\\",\\\"eventEntityType\\\":\\\"SECRET\\\",\\\"containerName\\\":null,\\\"byUserPlatformId\\\":null,\\\"eventLevel\\\":2,\\\"itemPlatformId\\\":null,\\\"targetUserId\\\":null,\\\"targetUserName\\\":null,\\\"targetUserDisplayName\\\":null,\\\"targetUserPlatformId\\\":null,\\\"eventQueueId\\\":1006,\\\"eventEntityTypeId\\\":10001,\\\"eventActionId\\\":10006,\\\"userId\\\":0,\\\"delegatedUserId\\\":null,\\\"itemId\\\":4,\\\"containerId\\\":0,\\\"eventTime\\\":\\\"0001-01-01T00:00:00\\\",\\\"eventDetails\\\":\\\"PuTTY Host: [anon-host] Username: [anon_user] Account Name: anon_account Target Server: anon-host\\\",\\\"ipAddress\\\":\\\"10.0.0.2\\\",\\\"eventDataObject\\\":null,\\\"additionalData\\\":null,\\\"additionalDataDictionary\\\":{},\\\"fieldChangesCollection\\\":null}\",\n \"fieldChanges\": null,\n \"displayMessage\": \"A secret was launched by user@example.com.\",\n \"level\": \"PrivilegedActivity\",\n \"eventDateTime\": \"2025-09-18T13:25:29.643+00:00\",\n \"tags\": null,\n \"analyticData\": null,\n \"sessionId\": null,\n \"isSystem\": false,\n \"service\": {\n \"type\": \"Secret Server\",\n \"version\": \"11.7.000055\",\n \"identifier\": \"00000000-0000-0000-0000-000000000020\"\n },\n \"source\": {\n \"host\": {\n \"machineName\": null,\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": \"ipaddress\",\n \"domain\": null,\n \"ipAddress\": \"10.0.0.2\",\n \"socket\": null,\n \"macAddress\": null,\n \"port\": null,\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": null\n },\n \"displayName\": null,\n \"id\": null,\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": null,\n \"name\": null,\n \"additionalAttributes\": null\n },\n \"actor\": {\n \"displayName\": \"API User\",\n \"email\": \"user@example.com\",\n \"delegatedUserId\": null,\n \"delegatedUserPlatformId\": null,\n \"delegatedUserName\": null,\n \"id\": \"00000000-0000-0000-0000-000000000030\",\n \"platformId\": \"00000000-0000-0000-0000-000000000030\",\n \"internalId\": \"5\",\n \"idType\": \"platformid\",\n \"type\": \"user\",\n \"name\": \"user@example.com\",\n \"additionalAttributes\": null\n },\n \"target\": {\n \"host\": {\n \"machineName\": null,\n \"network\": null,\n \"client\": null\n },\n \"displayName\": \"4\",\n \"containerId\": null,\n \"containerName\": null,\n \"containerType\": null,\n \"id\": \"4\",\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": \"SECRET\",\n \"name\": \"4\",\n \"additionalAttributes\": null\n },\n \"eventType\": {\n \"name\": \"Delinea.Vault.Secret.RemoteSession.Launched\",\n \"internalName\": \"10006\",\n \"account\": null,\n \"verb\": null,\n \"targetType\": null,\n \"level\": \"SecurityAudit\",\n \"additionalAttributes\": null\n },\n \"processedTime\": \"2025-09-18T13:25:53.7481291+00:00\",\n \"additionalAttributes\": {\n \"eventmessageguid\": [\"00000000-0000-0000-0000-000000000070\"]\n }\n}",
"event": {
"action": "Delinea.Vault.Secret.RemoteSession.Launched",
"category": [
"process"
],
"dataset": "SecurityAudit",
"kind": "alert",
"provider": "Secret Server",
"reason": "A secret was launched by user@example.com.",
"type": [
"start"
]
},
"@timestamp": "2025-09-18T13:25:29.643000Z",
"host": {
"ip": "10.0.0.2"
},
"log": {
"level": "PrivilegedActivity"
},
"network": {
"transport": "ipaddress"
},
"observer": {
"product": "Delinea PRA",
"serial_number": "00000000-0000-0000-0000-000000000020",
"type": "Secret Server",
"vendor": "Delinea",
"version": "11.7.000055"
},
"organization": {
"id": "00000000-0000-0000-0000-000000000010"
},
"related": {
"ip": [
"10.0.0.2"
],
"user": [
"user@example.com"
]
},
"source": {
"address": "10.0.0.2",
"ip": "10.0.0.2"
},
"user": {
"email": "user@example.com",
"full_name": "API User",
"name": "user@example.com"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:03.556085721+02:00\",\"level\":\"INFO\",\"msg\":\"client jdoe initialized\",\"who\":\"jdoe\",\"engine_id\":\"testEngineId\",\"clientmgr_version\":\"v1.0.64\",\"workload_version\":\"1.0.33-1753078549\",\"host_os\":\"linux\",\"host_id\":\"testHostId\",\"site_id\":\"testSiteId\"}",
"event": {
"category": [
"network"
],
"reason": "client jdoe initialized",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:03.556085Z",
"delinea": {
"pra": {
"engine": {
"id": "testEngineId"
},
"site": {
"id": "testSiteId"
}
}
},
"host": {
"id": "testHostId",
"os": {
"type": "linux"
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:08.76174172+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: done\",\"who\":\"jdoe\",\"engine_id\":\"a2e2fb3f-2e39-4bdb-9c7b-123123213123213\",\"tenant_url\":\"https://test.example.org/\"}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: done",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:08.761741Z",
"delinea": {
"pra": {
"engine": {
"id": "a2e2fb3f-2e39-4bdb-9c7b-123123213123213"
}
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
},
"url": {
"domain": "test.example.org",
"original": "https://test.example.org/",
"path": "/",
"port": 443,
"registered_domain": "example.org",
"scheme": "https",
"subdomain": "test",
"top_level_domain": "org"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:22.279201135+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: TLS handshake done\",\"who\":\"jdoe\",\"engine_id\":\"a2e2fb3f-2e39-4bdb-9c7b-123123123\",\"tls_version\":\"TLS 1.3\",\"error\":null}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: TLS handshake done",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:22.279201Z",
"delinea": {
"pra": {
"engine": {
"id": "a2e2fb3f-2e39-4bdb-9c7b-123123123"
}
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
},
"tls": {
"version": "1.3"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:22.279201135+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: TLS handshake done\",\"who\":\"jdoe\",\"engine_id\":\"a2e2fb3f-2e39-4bdb-9c7b-123123123\",\"tls_version\":\"TLS 1.3\",\"error\":\"Test Error\"}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: TLS handshake done",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:22.279201Z",
"delinea": {
"pra": {
"engine": {
"id": "a2e2fb3f-2e39-4bdb-9c7b-123123123"
}
}
},
"error": {
"message": "Test Error"
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
},
"tls": {
"version": "1.3"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:24.418188294+02:00\",\"level\":\"INFO\",\"msg\":\"clientmgr start\",\"version\":\"v1.0.64\",\"build\":\"20250717113850\"}",
"event": {
"category": [
"network"
],
"reason": "clientmgr start",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:24.418188Z",
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:00.403454991+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: DNS start\",\"who\":\"jdoe\",\"engine_id\":\"123123123-2e39-4bdb-9c7b-123123123\",\"host\":\"test.example.org\"}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: DNS start",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:00.403454Z",
"delinea": {
"pra": {
"engine": {
"id": "123123123-2e39-4bdb-9c7b-123123123"
}
}
},
"host": {
"name": "test.example.org"
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:00.403362678+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: get connection\",\"who\":\"jdoe\",\"engine_id\":\"123123123-2e39-4bdb-9c7b-123123123\",\"host_port\":\"test.example.org:443\"}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: get connection",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:00.403362Z",
"delinea": {
"pra": {
"engine": {
"id": "123123123-2e39-4bdb-9c7b-123123123"
}
}
},
"host": {
"name": "test.example.org"
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:00.427869116+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: connect start\",\"who\":\"jdoe\",\"engine_id\":\"123123123-2e39-4bdb-9c7b-123123123\",\"network\":\"tcp\",\"addr\":\"1.2.3.4:443\"}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: connect start",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:00.427869Z",
"delinea": {
"pra": {
"engine": {
"id": "123123123-2e39-4bdb-9c7b-123123123"
}
}
},
"log": {
"level": "INFO"
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"jdoe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 443,
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:00.427766647+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: DNS done\",\"who\":\"jdoe\",\"engine_id\":\"123123123-2e39-4bdb-9c7b-123123123\",\"addrs\":[{\"IP\":\"1.2.3.4\",\"Zone\":\"\"}],\"err\":null}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: DNS done",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:00.427766Z",
"delinea": {
"pra": {
"engine": {
"id": "123123123-2e39-4bdb-9c7b-123123123"
}
}
},
"host": {
"ip": "1.2.3.4"
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:26.250961267+02:00\",\"level\":\"INFO\",\"msg\":\"received registrar response\",\"who\":\"jdoe\",\"engine_id\":\"testEngineId\",\"http_status\":\"200 OK\"}",
"event": {
"category": [
"network"
],
"reason": "received registrar response",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:26.250961Z",
"delinea": {
"pra": {
"engine": {
"id": "testEngineId"
}
}
},
"http": {
"response": {
"status_code": 200
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:26.25176562+02:00\",\"level\":\"INFO\",\"msg\":\"tracking parent process\",\"ppid\":112802}",
"event": {
"category": [
"network"
],
"reason": "tracking parent process",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:26.251765Z",
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"process": {
"parent": {
"pid": 112802
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:26.252049232+02:00\",\"level\":\"INFO\",\"msg\":\"tracking parent process: switching to polling\",\"error\":\"waitid: no child processes\",\"ppid\":112802}",
"event": {
"category": [
"network"
],
"reason": "tracking parent process: switching to polling",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:26.252049Z",
"error": {
"message": "waitid: no child processes"
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"process": {
"parent": {
"pid": 112802
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:26.252153218+02:00\",\"level\":\"INFO\",\"msg\":\"connecting with engine jdoe service\",\"who\":\"jdoe\",\"engine_id\":\"testEngineId\"}",
"event": {
"category": [
"network"
],
"reason": "connecting with engine jdoe service",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:26.252153Z",
"delinea": {
"pra": {
"engine": {
"id": "testEngineId"
}
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:26.41960967+02:00\",\"level\":\"INFO\",\"msg\":\"already registered\",\"registration-id\":\"de7e550e-82c2-4be5-ad66-0000000000000\"}",
"event": {
"category": [
"network"
],
"reason": "already registered",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:26.419609Z",
"delinea": {
"pra": {
"registration": {
"id": "de7e550e-82c2-4be5-ad66-0000000000000"
}
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:26.971561057+02:00\",\"level\":\"INFO\",\"msg\":\"successfully obtained the auth token\",\"scope\":\"xpmheadless\"}",
"event": {
"category": [
"network"
],
"reason": "successfully obtained the auth token",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:26.971561Z",
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:27.48160835+02:00\",\"level\":\"INFO\",\"msg\":\"successfully connected with engine jdoe service\",\"who\":\"jdoe\",\"engine_id\":\"testEngineId\"}",
"event": {
"category": [
"network"
],
"reason": "successfully connected with engine jdoe service",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:27.481608Z",
"delinea": {
"pra": {
"engine": {
"id": "testEngineId"
}
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:08.76174172+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: done\",\"who\":\"jdoe\",\"engine_id\":\"a2e2fb3f-2e39-4bdb-9c7b-123123213123213\",\"tenant_url\":\"https://test.example.org/\"}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: done",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:08.761741Z",
"delinea": {
"pra": {
"engine": {
"id": "a2e2fb3f-2e39-4bdb-9c7b-123123213123213"
}
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
},
"url": {
"domain": "test.example.org",
"original": "https://test.example.org/",
"path": "/",
"port": 443,
"registered_domain": "example.org",
"scheme": "https",
"subdomain": "test",
"top_level_domain": "org"
}
}
{
"message": "{\n \"eventMessageId\": \"00000000-0000-0000-0000-000000000000\",\n \"tenantId\": \"11111111-1111-1111-1111-111111111111\",\n \"notes\": null,\n \"fieldChanges\": null,\n \"displayMessage\": \"Login for user j.doe@test started.\",\n \"level\": \"SecurityAudit\",\n \"eventDateTime\": \"2025-12-15T14:30:25.2145828+00:00\",\n \"tags\": null,\n \"analyticData\": null,\n \"sessionId\": \"22222222-2222-2222-2222-222222222222\",\n \"isSystem\": false,\n \"service\": {\n \"type\": \"Identity\",\n \"version\": null,\n \"identifier\": null\n },\n \"source\": {\n \"host\": {\n \"machineName\": null,\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": \"ipaddress\",\n \"domain\": null,\n \"ipAddress\": \"4.5.6.7\",\n \"socket\": null,\n \"macAddress\": null,\n \"port\": null,\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": {\n \"type\": null,\n \"operatingSystem\": null,\n \"mobileApp\": null,\n \"userAgent\": \"Python/3.11 aiohttp/3.12.15\"\n }\n },\n \"displayName\": \"1.2.3.4\",\n \"id\": \"1.2.3.4\",\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": \"ClientIPAddress\",\n \"type\": \"Web\",\n \"name\": \"1.2.3.4\",\n \"additionalAttributes\": null\n },\n \"actor\": {\n \"displayName\": \"j.doe@test\",\n \"email\": null,\n \"delegatedUserId\": null,\n \"delegatedUserPlatformId\": null,\n \"delegatedUserName\": null,\n \"id\": \"33333333-3333-3333-3333-333333333333\",\n \"platformId\": \"33333333-3333-3333-3333-333333333333\",\n \"internalId\": null,\n \"idType\": \"platformid\",\n \"type\": \"user\",\n \"name\": \"j.doe@test\",\n \"additionalAttributes\": null\n },\n \"target\": {\n \"host\": {\n \"machineName\": null,\n \"network\": null,\n \"client\": null\n },\n \"displayName\": null,\n \"containerId\": null,\n \"containerName\": null,\n \"containerType\": null,\n \"id\": null,\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": null,\n \"name\": null,\n \"additionalAttributes\": null\n },\n \"eventType\": {\n \"id\": 133,\n \"name\": \"Delinea.Identity.AuthSession.SessionStart\",\n \"internalName\": \"Cloud.AuditService.AuthSession.SessionStart\",\n \"account\": null,\n \"verb\": null,\n \"targetType\": null,\n \"level\": \"SecurityAudit\",\n \"additionalAttributes\": null\n },\n \"processedTime\": \"2025-12-15T14:30:25.8114154+00:00\",\n \"additionalAttributes\": {\n \"Expires\": [\n \"12/16/2025 2:30:25\u202fAM\"\n ],\n \"AuthFactors\": [\n \"\"\n ],\n \"AzRoleId\": [\n \"Web.publicapifortokens-557dcf997d-gr2lc\"\n ],\n \"AuthMethod\": [\n \"None\"\n ],\n \"ThreadType\": [\n \"RestCall\"\n ],\n \"Started\": [\n \"1/1/0001 12:00:00\u202fAM\"\n ],\n \"Tenant\": [\n \"11111111-1111-1111-1111-111111111111\"\n ],\n \"InternalTrackingID\": [\n \"99999999999999999999999999999999\"\n ],\n \"AzRoleName\": [\n \"WebRole\"\n ],\n \"DirectoryServiceUuid\": [\n \"44444444-4444-4444-4444-444444444444\"\n ],\n \"Level\": [\n \"Info\"\n ],\n \"AzDeploymentId\": [\n \"7.4.218\"\n ],\n \"ClientIPAddress\": [\n \"1.2.3.4\"\n ],\n \"WhenLogged\": [\n \"12/15/2025 2:30:25\u202fPM\"\n ],\n \"RequestIsMobileDevice\": [\n \"False\"\n ]\n }\n}\n",
"event": {
"action": "Delinea.Identity.AuthSession.SessionStart",
"category": [
"authentication"
],
"code": "133",
"dataset": "SecurityAudit",
"kind": "alert",
"provider": "Identity",
"reason": "Login for user j.doe@test started.",
"type": [
"start"
]
},
"@timestamp": "2025-12-15T14:30:25.214582Z",
"host": {
"ip": "4.5.6.7",
"name": "1.2.3.4"
},
"log": {
"level": "SecurityAudit"
},
"network": {
"transport": "ipaddress"
},
"observer": {
"product": "Delinea PRA",
"type": "Identity",
"vendor": "Delinea"
},
"organization": {
"id": "11111111-1111-1111-1111-111111111111"
},
"related": {
"ip": [
"4.5.6.7"
],
"user": [
"j.doe@test"
]
},
"source": {
"address": "4.5.6.7",
"ip": "4.5.6.7"
},
"user": {
"full_name": "j.doe@test",
"name": "j.doe@test"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Python aiohttp",
"original": "Python/3.11 aiohttp/3.12.15",
"os": {
"name": "Other"
},
"version": "3.12.15"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
delinea.pra.engine.id |
keyword |
The unique identifier for the engine that processed the request. |
delinea.pra.registration.id |
keyword |
The unique identifier for the registration associated with the event. |
delinea.pra.site.id |
keyword |
The unique identifier for the site where the event originated. |
destination.address |
keyword |
Destination network address. |
destination.domain |
keyword |
The domain name of the destination. |
destination.ip |
ip |
IP address of the destination. |
destination.port |
long |
Port of the destination. |
error.message |
match_only_text |
Error message. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.code |
keyword |
Identification code for this event. |
event.dataset |
keyword |
Name of the dataset. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.provider |
keyword |
Source of the event. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.severity |
long |
Numeric severity of the event. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
host.hostname |
keyword |
Hostname of the host. |
host.id |
keyword |
Unique host id. |
host.ip |
ip |
Host ip addresses. |
host.name |
keyword |
Name of the host. |
host.os.type |
keyword |
Which commercial OS family (one of: linux, macos, unix or windows). |
http.response.status_code |
long |
HTTP response status code. |
log.level |
keyword |
Log level of the log event. |
network.transport |
keyword |
Protocol Name corresponding to the field iana_number. |
observer.product |
keyword |
The product name of the observer. |
observer.serial_number |
keyword |
Observer serial number. |
observer.type |
keyword |
The type of the observer the data is coming from. |
observer.vendor |
keyword |
Vendor name of the observer. |
observer.version |
keyword |
Observer version. |
organization.id |
keyword |
Unique identifier for the organization. |
process.parent.pid |
long |
Process id. |
source.address |
keyword |
Source network address. |
source.domain |
keyword |
The domain name of the source. |
source.geo.city_name |
keyword |
City name. |
source.geo.country_iso_code |
keyword |
Country ISO code. |
source.geo.timezone |
keyword |
Time zone. |
source.ip |
ip |
IP address of the source. |
source.mac |
keyword |
MAC address of the source. |
source.port |
long |
Port of the source. |
source.user.name |
keyword |
Short name or login of the user. |
tls.version |
keyword |
Numeric part of the version parsed from the original string. |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
user.email |
keyword |
User email address. |
user.full_name |
keyword |
User's full name, if available. |
user.name |
keyword |
Short name or login of the user. |
user_agent.original |
keyword |
Unparsed user_agent string. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
No related built-in rules was found. This message is automatically generated.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Host network interface |
None |
Network device logs |
None |
Network protocol analysis |
None |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | network |
| Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\n \"Date\": \"2025-08-18T15:01:42.7166877+00:00\",\n \"Service\": \"Remote Access\",\n \"Level\": \"PrivilegedActivity\",\n \"Event type\": \"Delinea.RAS.Session.Secret.Launched\",\n \"Action\": \"Launched by user jdoe@test.test.com from secret test-TEST-00-0000 (test-TEST-00-0000) as testUser to test-TEST-00-0000:22 at Delinea_Integration_test_test using ssh.\",\n \"Initiated by\": \"jdoe\",\n \"Target\": \"test-TEST-00-0000\",\n \"Source\": \"test-Source-ADDR\",\n \"Field changes\": \"\"\n }",
"event": {
"action": "Delinea.RAS.Session.Secret.Launched",
"category": [
"network"
],
"reason": "Launched by user jdoe@test.test.com from secret test-TEST-00-0000 (test-TEST-00-0000) as testUser to test-TEST-00-0000:22 at Delinea_Integration_test_test using ssh.",
"type": [
"info"
]
},
"@timestamp": "2025-08-18T15:01:42.716687Z",
"destination": {
"address": "test-TEST-00-0000"
},
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"address": "test-Source-ADDR",
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\n \"Date\": \"2025-08-18T14:56:06.5636088+00:00\",\n \"Service\": \"Remote Access\",\n \"Level\": \"PrivilegedActivity\",\n \"Event type\": \"Delinea.RAS.Site.Queried\",\n \"Action\": \"Sites retrieved by user jdoe@test.test.com.\",\n \"Initiated by\": \"jdoe\",\n \"Target\": \"\",\n \"Source\": \"\",\n \"Field changes\": \"\"\n }",
"event": {
"action": "Delinea.RAS.Site.Queried",
"category": [
"network"
],
"reason": "Sites retrieved by user jdoe@test.test.com.",
"type": [
"info"
]
},
"@timestamp": "2025-08-18T14:56:06.563608Z",
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\n \"Date\": \"2025-08-18T14:48:49.3009467+00:00\",\n \"Service\": \"Remote Access\",\n \"Level\": \"PrivilegedActivity\",\n \"Event type\": \"Delinea.RAS.Session.ClosedByTimeout\",\n \"Action\": \"Session closed by system after timing out.\",\n \"Initiated by\": \"Delinea System\",\n \"Target\": \"test-TEST-00-0000\",\n \"Source\": \"\",\n \"Field changes\": \"\"\n }",
"event": {
"action": "Delinea.RAS.Session.ClosedByTimeout",
"category": [
"network"
],
"reason": "Session closed by system after timing out.",
"type": [
"info"
]
},
"@timestamp": "2025-08-18T14:48:49.300946Z",
"destination": {
"address": "test-TEST-00-0000"
},
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"Delinea System"
]
},
"source": {
"user": {
"name": "Delinea System"
}
}
}
{
"message": "{\n \"Date\": \"2025-08-18T14:41:30.7449045+00:00\",\n \"Service\": \"Remote Access\",\n \"Level\": \"PrivilegedActivity\",\n \"Event type\": \"Delinea.RAS.Session.Clipboard.SentToTarget\",\n \"Action\": \"Clipboard data is sent to target by user jdoe@test.test.com.\",\n \"Initiated by\": \"jdoe\",\n \"Target\": \"test-TEST-00-0000\",\n \"Source\": \"\",\n \"Field changes\": \"\"\n }",
"event": {
"action": "Delinea.RAS.Session.Clipboard.SentToTarget",
"category": [
"network"
],
"reason": "Clipboard data is sent to target by user jdoe@test.test.com.",
"type": [
"info"
]
},
"@timestamp": "2025-08-18T14:41:30.744904Z",
"destination": {
"address": "test-TEST-00-0000"
},
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\n \"Date\": \"2025-08-18T14:40:59.1695664+00:00\",\n \"Service\": \"Remote Access\",\n \"Level\": \"PrivilegedActivity\",\n \"Event type\": \"Delinea.RAS.Session.Secret.Launched\",\n \"Action\": \"Launched by user jdoe@test.test.com from secret test-TEST-00-0000 (test-TEST-00-0000) as testUser to test-TEST-00-0000:22 at Delinea_Integration_test_LKA using ssh.\",\n \"Initiated by\": \"jdoe\",\n \"Target\": \"test-TEST-00-0000\",\n \"Source\": \"\",\n \"Field changes\": \"\"\n }",
"event": {
"action": "Delinea.RAS.Session.Secret.Launched",
"category": [
"network"
],
"reason": "Launched by user jdoe@test.test.com from secret test-TEST-00-0000 (test-TEST-00-0000) as testUser to test-TEST-00-0000:22 at Delinea_Integration_test_LKA using ssh.",
"type": [
"info"
]
},
"@timestamp": "2025-08-18T14:40:59.169566Z",
"destination": {
"address": "test-TEST-00-0000"
},
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"eventMessageId\":\"00000000-0000-0000-0000-000000000001\",\"tenantId\":\"00000000-0000-0000-0000-000000000002\",\"notes\":\"{\\\"machineName\\\":\\\"anon-worker-12345\\\",\\\"machineTimeZone\\\":\\\"Coordinated Universal Time\\\",\\\"product\\\":\\\"Secret Server\\\",\\\"schemaVersion\\\":\\\"https://schema.delinea.app/secretserver/schema.v1.json\\\",\\\"itemName\\\":\\\"item_anon\\\",\\\"itemNameForDisplay\\\":\\\"item_anon\\\",\\\"byUser\\\":\\\"user@example.com\\\",\\\"byUserDisplayName\\\":\\\"API User\\\",\\\"delegatedUserName\\\":\\\"delegated_user\\\",\\\"delegatedUserDisplayName\\\":\\\"Delegated User\\\",\\\"byUserEmailAddress\\\":\\\"byuser@example.com\\\",\\\"delegatedUserPlatformId\\\":\\\"delegated-platform-1\\\",\\\"eventAction\\\":\\\"LAUNCH\\\",\\\"eventEntityType\\\":\\\"SECRET\\\",\\\"containerName\\\":\\\"anon_container\\\",\\\"byUserPlatformId\\\":\\\"platform-123\\\",\\\"eventLevel\\\":2,\\\"itemPlatformId\\\":\\\"item-platform-1\\\",\\\"targetUserId\\\":\\\"target-user-1\\\",\\\"targetUserName\\\":\\\"target_user\\\",\\\"targetUserDisplayName\\\":\\\"Target User\\\",\\\"targetUserPlatformId\\\":\\\"target-platform-1\\\",\\\"eventQueueId\\\":9999,\\\"eventEntityTypeId\\\":10001,\\\"eventActionId\\\":10006,\\\"userId\\\":0,\\\"delegatedUserId\\\":\\\"delegated-id-1\\\",\\\"itemId\\\":123,\\\"containerId\\\":111,\\\"eventTime\\\":\\\"0001-01-01T00:00:00\\\",\\\"eventDetails\\\":\\\"Remote Desktop Host: [anon_host] Username: [anon_user] Account Name: anon_account Target Server: anon_host \\\",\\\"ipAddress\\\":\\\"10.0.0.1\\\",\\\"eventDataObject\\\":\\\"dummy_event_data\\\",\\\"additionalData\\\":\\\"dummy_additional_data\\\",\\\"additionalDataDictionary\\\":{\\\"key\\\":\\\"value\\\"},\\\"fieldChangesCollection\\\":\\\"dummy_field_changes\\\"}\",\"fieldChanges\":\"dummy_field_changes\",\"displayMessage\":\"A secret was launched by user@example.com.\",\"level\":\"PrivilegedActivity\",\"eventDateTime\":\"2025-09-18T13:34:17.603+00:00\",\"tags\":[\"tag1\",\"tag2\"],\"analyticData\":\"dummy_analytic_data\",\"sessionId\":\"dummy_session_id\",\"isSystem\":false,\"service\":{\"type\":\"Secret Server\",\"version\":\"11.7.000055\",\"identifier\":\"00000000-0000-0000-0000-000000000003\"},\"source\":{\"host\":{\"machineName\":\"anon-machine\",\"network\":{\"id\":\"network-id-1\",\"name\":\"anon-network\",\"address\":\"192.168.0.10\",\"addressType\":\"ipaddress\",\"domain\":\"anon.local\",\"ipAddress\":\"10.0.0.1\",\"socket\":\"socket-1\",\"macAddress\":\"00:11:22:33:44:55\",\"port\":443,\"lon\":12.34,\"lat\":56.78,\"geo\":{\"cityName\":\"Anon City\",\"countryIsoCode\":\"AN\",\"timeZone\":\"UTC\"},\"carrier\":\"AnonCarrier\"},\"client\":\"anon-client\"},\"displayName\":\"anon-source\",\"id\":\"source-id-1\",\"platformId\":\"platform-source-1\",\"internalId\":\"internal-source-1\",\"idType\":\"source-type\",\"type\":\"source\",\"name\":\"source-name\",\"additionalAttributes\":{\"attr\":\"dummy\"}},\"actor\":{\"displayName\":\"API User\",\"email\":\"user@example.com\",\"delegatedUserId\":\"delegated-user-id\",\"delegatedUserPlatformId\":\"delegated-platform-id\",\"delegatedUserName\":\"delegated_user\",\"id\":\"00000000-0000-0000-0000-000000000004\",\"platformId\":\"00000000-0000-0000-0000-000000000004\",\"internalId\":\"5\",\"idType\":\"platformid\",\"type\":\"user\",\"name\":\"user@example.com\",\"additionalAttributes\":{\"role\":\"admin\"}},\"target\":{\"host\":{\"machineName\":\"target-machine\",\"network\":{\"id\":\"network-id-2\",\"name\":\"target-network\",\"address\":\"192.168.0.20\",\"addressType\":\"ipaddress\",\"domain\":\"target.local\",\"ipAddress\":\"10.0.0.2\",\"socket\":\"socket-2\",\"macAddress\":\"66:77:88:99:AA:BB\",\"port\":3389,\"lon\":98.76,\"lat\":54.32,\"geo\":{\"cityName\":\"Target City\",\"countryIsoCode\":\"TC\",\"timeZone\":\"UTC+1\"},\"carrier\":\"TargetCarrier\"},\"client\":\"target-client\"},\"displayName\":\"5\",\"containerId\":\"target-container-1\",\"containerName\":\"target-container\",\"containerType\":\"SECRET\",\"id\":\"5\",\"platformId\":\"target-platform-1\",\"internalId\":\"target-internal-1\",\"idType\":\"target-type\",\"type\":\"SECRET\",\"name\":\"5\",\"additionalAttributes\":{\"info\":\"dummy_target_info\"}},\"eventType\":{\"name\":\"Delinea.Vault.Secret.RemoteSession.Launched\",\"internalName\":\"10006\",\"account\":\"dummy_account\",\"verb\":\"dummy_verb\",\"targetType\":\"dummy_target_type\",\"level\":\"SecurityAudit\",\"additionalAttributes\":{\"extra\":\"dummy_event_attr\"}},\"processedTime\":\"2025-09-18T13:34:57.157974+00:00\",\"additionalAttributes\":{\"eventmessageguid\":[\"00000000-0000-0000-0000-000000000005\"],\"customAttr\":\"dummy_attr\"}}",
"event": {
"action": "Delinea.Vault.Secret.RemoteSession.Launched",
"category": [
"process"
],
"dataset": "SecurityAudit",
"kind": "alert",
"provider": "Secret Server",
"reason": "A secret was launched by user@example.com.",
"type": [
"start"
]
},
"@timestamp": "2025-09-18T13:34:17.603000Z",
"destination": {
"address": "target-container",
"domain": "target-container",
"port": 3389
},
"host": {
"hostname": "anon-machine",
"ip": "10.0.0.1",
"name": "source-name"
},
"log": {
"level": "PrivilegedActivity"
},
"network": {
"transport": "ipaddress"
},
"observer": {
"product": "Delinea PRA",
"serial_number": "00000000-0000-0000-0000-000000000003",
"type": "Secret Server",
"vendor": "Delinea",
"version": "11.7.000055"
},
"organization": {
"id": "00000000-0000-0000-0000-000000000002"
},
"related": {
"hosts": [
"anon-machine",
"anon.local",
"target-container"
],
"ip": [
"10.0.0.1"
],
"user": [
"user@example.com"
]
},
"source": {
"address": "anon.local",
"domain": "anon.local",
"geo": {
"city_name": "Anon City",
"country_iso_code": "AN",
"timezone": "UTC"
},
"ip": "10.0.0.1",
"mac": "00:11:22:33:44:55",
"port": 443,
"subdomain": "anon"
},
"user": {
"email": "user@example.com",
"full_name": "API User",
"name": "user@example.com"
}
}
{
"message": "{\n \"eventMessageId\": \"00000000-0000-0000-0000-000000000001\",\n \"tenantId\": \"00000000-0000-0000-0000-000000000010\",\n \"notes\": \"{\\\"machineName\\\":\\\"anon-worker-1\\\",\\\"machineTimeZone\\\":\\\"Coordinated Universal Time\\\",\\\"product\\\":\\\"Secret Server\\\",\\\"schemaVersion\\\":\\\"https://schema.delinea.app/secretserver/schema.v1.json\\\",\\\"itemName\\\":\\\"item_anon\\\",\\\"itemNameForDisplay\\\":\\\"item_anon\\\",\\\"byUser\\\":\\\"user@example.com\\\",\\\"byUserDisplayName\\\":\\\"API User\\\",\\\"delegatedUserName\\\":null,\\\"delegatedUserDisplayName\\\":null,\\\"byUserEmailAddress\\\":null,\\\"delegatedUserPlatformId\\\":null,\\\"eventAction\\\":\\\"LAUNCH\\\",\\\"eventEntityType\\\":\\\"SECRET\\\",\\\"containerName\\\":null,\\\"byUserPlatformId\\\":null,\\\"eventLevel\\\":2,\\\"itemPlatformId\\\":null,\\\"targetUserId\\\":null,\\\"targetUserName\\\":null,\\\"targetUserDisplayName\\\":null,\\\"targetUserPlatformId\\\":null,\\\"eventQueueId\\\":1008,\\\"eventEntityTypeId\\\":10001,\\\"eventActionId\\\":10006,\\\"userId\\\":0,\\\"delegatedUserId\\\":null,\\\"itemId\\\":4,\\\"containerId\\\":0,\\\"eventTime\\\":\\\"0001-01-01T00:00:00\\\",\\\"eventDetails\\\":\\\"PuTTY Host: [anon-host] Username: [anon_user] Account Name: anon_account Target Server: anon-host\\\",\\\"ipAddress\\\":\\\"10.0.0.1\\\",\\\"eventDataObject\\\":null,\\\"additionalData\\\":null,\\\"additionalDataDictionary\\\":{},\\\"fieldChangesCollection\\\":null}\",\n \"fieldChanges\": null,\n \"displayMessage\": \"A secret was launched by user@example.com.\",\n \"level\": \"PrivilegedActivity\",\n \"eventDateTime\": \"2025-09-18T13:32:42.21+00:00\",\n \"tags\": null,\n \"analyticData\": null,\n \"sessionId\": null,\n \"isSystem\": false,\n \"service\": {\n \"type\": \"Secret Server\",\n \"version\": \"11.7.000055\",\n \"identifier\": \"00000000-0000-0000-0000-000000000020\"\n },\n \"source\": {\n \"host\": {\n \"machineName\": null,\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": \"ipaddress\",\n \"domain\": null,\n \"ipAddress\": \"10.0.0.1\",\n \"socket\": null,\n \"macAddress\": null,\n \"port\": null,\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": null\n },\n \"displayName\": null,\n \"id\": null,\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": null,\n \"name\": null,\n \"additionalAttributes\": null\n },\n \"actor\": {\n \"displayName\": \"API User\",\n \"email\": \"user@example.com\",\n \"delegatedUserId\": null,\n \"delegatedUserPlatformId\": null,\n \"delegatedUserName\": null,\n \"id\": \"00000000-0000-0000-0000-000000000030\",\n \"platformId\": \"00000000-0000-0000-0000-000000000030\",\n \"internalId\": \"5\",\n \"idType\": \"platformid\",\n \"type\": \"user\",\n \"name\": \"user@example.com\",\n \"additionalAttributes\": null\n },\n \"target\": {\n \"host\": {\n \"machineName\": null,\n \"network\": null,\n \"client\": null\n },\n \"displayName\": \"4\",\n \"containerId\": null,\n \"containerName\": null,\n \"containerType\": null,\n \"id\": \"4\",\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": \"SECRET\",\n \"name\": \"4\",\n \"additionalAttributes\": null\n },\n \"eventType\": {\n \"name\": \"Delinea.Vault.Secret.RemoteSession.Launched\",\n \"internalName\": \"10006\",\n \"account\": null,\n \"verb\": null,\n \"targetType\": null,\n \"level\": \"SecurityAudit\",\n \"additionalAttributes\": null\n },\n \"processedTime\": \"2025-09-18T13:32:52.1991369+00:00\",\n \"additionalAttributes\": {\n \"eventmessageguid\": [\"00000000-0000-0000-0000-000000000040\"]\n }\n}",
"event": {
"action": "Delinea.Vault.Secret.RemoteSession.Launched",
"category": [
"process"
],
"dataset": "SecurityAudit",
"kind": "alert",
"provider": "Secret Server",
"reason": "A secret was launched by user@example.com.",
"type": [
"start"
]
},
"@timestamp": "2025-09-18T13:32:42.210000Z",
"host": {
"ip": "10.0.0.1"
},
"log": {
"level": "PrivilegedActivity"
},
"network": {
"transport": "ipaddress"
},
"observer": {
"product": "Delinea PRA",
"serial_number": "00000000-0000-0000-0000-000000000020",
"type": "Secret Server",
"vendor": "Delinea",
"version": "11.7.000055"
},
"organization": {
"id": "00000000-0000-0000-0000-000000000010"
},
"related": {
"ip": [
"10.0.0.1"
],
"user": [
"user@example.com"
]
},
"source": {
"address": "10.0.0.1",
"ip": "10.0.0.1"
},
"user": {
"email": "user@example.com",
"full_name": "API User",
"name": "user@example.com"
}
}
{
"message": "{\n \"eventMessageId\": \"00000000-0000-0000-0000-000000000002\",\n \"tenantId\": \"00000000-0000-0000-0000-000000000010\",\n \"notes\": \"{\\\"machineName\\\":\\\"anon-worker-1\\\",\\\"machineTimeZone\\\":\\\"Coordinated Universal Time\\\",\\\"product\\\":\\\"Secret Server\\\",\\\"schemaVersion\\\":\\\"https://schema.delinea.app/secretserver/schema.v1.json\\\",\\\"itemName\\\":\\\"item_anon\\\",\\\"itemNameForDisplay\\\":\\\"item_anon\\\",\\\"byUser\\\":\\\"user@example.com\\\",\\\"byUserDisplayName\\\":\\\"API User\\\",\\\"delegatedUserName\\\":null,\\\"delegatedUserDisplayName\\\":null,\\\"byUserEmailAddress\\\":null,\\\"delegatedUserPlatformId\\\":null,\\\"eventAction\\\":\\\"VIEW\\\",\\\"eventEntityType\\\":\\\"SECRET\\\",\\\"containerName\\\":null,\\\"byUserPlatformId\\\":null,\\\"eventLevel\\\":2,\\\"itemPlatformId\\\":null,\\\"targetUserId\\\":null,\\\"targetUserName\\\":null,\\\"targetUserDisplayName\\\":null,\\\"targetUserPlatformId\\\":null,\\\"eventQueueId\\\":1007,\\\"eventEntityTypeId\\\":10001,\\\"eventActionId\\\":10004,\\\"userId\\\":0,\\\"delegatedUserId\\\":null,\\\"itemId\\\":4,\\\"containerId\\\":0,\\\"eventTime\\\":\\\"0001-01-01T00:00:00\\\",\\\"eventDetails\\\":\\\"Account Name: anon_account Target Server: anon-host\\\",\\\"ipAddress\\\":\\\"10.0.0.1\\\",\\\"eventDataObject\\\":null,\\\"additionalData\\\":null,\\\"additionalDataDictionary\\\":{},\\\"fieldChangesCollection\\\":null}\",\n \"fieldChanges\": null,\n \"displayMessage\": \"Secret was viewed by user@example.com.\",\n \"level\": \"PrivilegedActivity\",\n \"eventDateTime\": \"2025-09-18T13:32:31.883+00:00\",\n \"tags\": null,\n \"analyticData\": null,\n \"sessionId\": null,\n \"isSystem\": false,\n \"service\": {\n \"type\": \"Secret Server\",\n \"version\": \"11.7.000055\",\n \"identifier\": \"00000000-0000-0000-0000-000000000020\"\n },\n \"source\": {\n \"host\": {\n \"machineName\": null,\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": \"ipaddress\",\n \"domain\": null,\n \"ipAddress\": \"10.0.0.1\",\n \"socket\": null,\n \"macAddress\": null,\n \"port\": null,\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": null\n },\n \"displayName\": null,\n \"id\": null,\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": null,\n \"name\": null,\n \"additionalAttributes\": null\n },\n \"actor\": {\n \"displayName\": \"API User\",\n \"email\": \"user@example.com\",\n \"delegatedUserId\": null,\n \"delegatedUserPlatformId\": null,\n \"delegatedUserName\": null,\n \"id\": \"00000000-0000-0000-0000-000000000030\",\n \"platformId\": \"00000000-0000-0000-0000-000000000030\",\n \"internalId\": \"5\",\n \"idType\": \"platformid\",\n \"type\": \"user\",\n \"name\": \"user@example.com\",\n \"additionalAttributes\": null\n },\n \"target\": {\n \"host\": {\n \"machineName\": null,\n \"network\": null,\n \"client\": null\n },\n \"displayName\": \"4\",\n \"containerId\": null,\n \"containerName\": null,\n \"containerType\": null,\n \"id\": \"4\",\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": \"SECRET\",\n \"name\": \"4\",\n \"additionalAttributes\": null\n },\n \"eventType\": {\n \"name\": \"Delinea.Vault.Secret.Viewed\",\n \"internalName\": \"10004\",\n \"account\": null,\n \"verb\": null,\n \"targetType\": null,\n \"level\": \"PrivilegedActivity\",\n \"additionalAttributes\": null\n },\n \"processedTime\": \"2025-09-18T13:32:52.1211584+00:00\",\n \"additionalAttributes\": {\n \"eventmessageguid\": [\"00000000-0000-0000-0000-000000000041\"]\n }\n}",
"event": {
"action": "Delinea.Vault.Secret.Viewed",
"category": [
"configuration"
],
"dataset": "PrivilegedActivity",
"provider": "Secret Server",
"reason": "Secret was viewed by user@example.com.",
"type": [
"access"
]
},
"@timestamp": "2025-09-18T13:32:31.883000Z",
"host": {
"ip": "10.0.0.1"
},
"log": {
"level": "PrivilegedActivity"
},
"network": {
"transport": "ipaddress"
},
"observer": {
"product": "Delinea PRA",
"serial_number": "00000000-0000-0000-0000-000000000020",
"type": "Secret Server",
"vendor": "Delinea",
"version": "11.7.000055"
},
"organization": {
"id": "00000000-0000-0000-0000-000000000010"
},
"related": {
"ip": [
"10.0.0.1"
],
"user": [
"user@example.com"
]
},
"source": {
"address": "10.0.0.1",
"ip": "10.0.0.1"
},
"user": {
"email": "user@example.com",
"full_name": "API User",
"name": "user@example.com"
}
}
{
"message": "{\n \"eventMessageId\": \"00000000-0000-0000-0000-000000000003\",\n \"tenantId\": \"00000000-0000-0000-0000-000000000010\",\n \"notes\": null,\n \"fieldChanges\": null,\n \"displayMessage\": \"Session closed by system after timing out.\",\n \"level\": \"PrivilegedActivity\",\n \"eventDateTime\": \"2025-09-18T13:26:19.6589051+00:00\",\n \"tags\": null,\n \"analyticData\": null,\n \"sessionId\": null,\n \"isSystem\": true,\n \"service\": {\n \"type\": \"Remote Access\",\n \"version\": null,\n \"identifier\": null\n },\n \"source\": {\n \"host\": {\n \"machineName\": null,\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": null,\n \"domain\": null,\n \"ipAddress\": \"10.0.0.1\",\n \"socket\": null,\n \"macAddress\": null,\n \"port\": null,\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": {\n \"type\": \"http\",\n \"operatingSystem\": null,\n \"mobileApp\": null,\n \"userAgent\": \"Mozilla/5.0 (AnonOS)\"\n }\n },\n \"displayName\": \"10.0.0.1\",\n \"id\": null,\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": \"http-client\",\n \"name\": null,\n \"additionalAttributes\": null\n },\n \"actor\": {\n \"displayName\": \"System User\",\n \"email\": null,\n \"delegatedUserId\": null,\n \"delegatedUserPlatformId\": null,\n \"delegatedUserName\": null,\n \"id\": \"00000000-0000-0000-0000-000000000050\",\n \"platformId\": \"00000000-0000-0000-0000-000000000050\",\n \"internalId\": null,\n \"idType\": \"platformid\",\n \"type\": \"system\",\n \"name\": \"systemuser\",\n \"additionalAttributes\": null\n },\n \"target\": {\n \"host\": {\n \"machineName\": \"anon-host\",\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": null,\n \"domain\": null,\n \"ipAddress\": null,\n \"socket\": null,\n \"macAddress\": null,\n \"port\": \"22\",\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": null\n },\n \"displayName\": \"anon-host\",\n \"containerId\": null,\n \"containerName\": null,\n \"containerType\": null,\n \"id\": \"anon-host\",\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": \"hostname\",\n \"type\": \"machine\",\n \"name\": \"anon-host\",\n \"additionalAttributes\": {\n \"protocol\": [\"ssh\"],\n \"secret_id\": [\"4\"],\n \"secret_name\": [\"item_anon\"],\n \"site_id\": [\"00000000-0000-0000-0000-000000000060\"],\n \"site_name\": [\"Anon_Site\"],\n \"user_name\": [\"user@example.com\"]\n }\n },\n \"eventType\": {\n \"name\": \"Delinea.RAS.Session.ClosedByTimeout\",\n \"internalName\": \"\",\n \"account\": null,\n \"verb\": null,\n \"targetType\": null,\n \"level\": \"PrivilegedActivity\",\n \"additionalAttributes\": null\n },\n \"processedTime\": \"2025-09-18T13:26:19.9443601+00:00\",\n \"additionalAttributes\": {\n \"tunnelId\": [\"00000000-0000-0000-0000-000000000061\"]\n }\n}",
"event": {
"action": "Delinea.RAS.Session.ClosedByTimeout",
"category": [
"authentication"
],
"dataset": "PrivilegedActivity",
"provider": "Remote Access",
"reason": "Session closed by system after timing out.",
"type": [
"end"
]
},
"@timestamp": "2025-09-18T13:26:19.658905Z",
"destination": {
"port": 22
},
"host": {
"ip": "10.0.0.1"
},
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"type": "Remote Access",
"vendor": "Delinea"
},
"organization": {
"id": "00000000-0000-0000-0000-000000000010"
},
"related": {
"ip": [
"10.0.0.1"
],
"user": [
"systemuser"
]
},
"source": {
"address": "10.0.0.1",
"ip": "10.0.0.1"
},
"user": {
"full_name": "System User",
"name": "systemuser"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "Mozilla/5.0 (AnonOS)",
"os": {
"name": "Other"
}
}
}
{
"message": "{\n \"eventMessageId\": \"00000000-0000-0000-0000-000000000003\",\n \"tenantId\": \"00000000-0000-0000-0000-000000000010\",\n \"notes\": null,\n \"fieldChanges\": null,\n \"displayMessage\": \"Session closed by system after timing out.\",\n \"level\": \"PrivilegedActivity\",\n \"eventDateTime\": \"2025-09-18T13:26:19.6589051+00:00\",\n \"tags\": null,\n \"analyticData\": null,\n \"sessionId\": null,\n \"isSystem\": true,\n \"service\": {\n \"type\": \"Remote Access\",\n \"version\": null,\n \"identifier\": null\n },\n \"source\": {\n \"host\": {\n \"machineName\": null,\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": null,\n \"domain\": null,\n \"ipAddress\": \"10.0.0.1\",\n \"socket\": null,\n \"macAddress\": null,\n \"port\": null,\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": {\n \"type\": \"http\",\n \"operatingSystem\": null,\n \"mobileApp\": null,\n \"userAgent\": \"Mozilla/5.0 (AnonOS)\"\n }\n },\n \"displayName\": \"10.0.0.1\",\n \"id\": null,\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": \"http-client\",\n \"name\": null,\n \"additionalAttributes\": null\n },\n \"actor\": {\n \"displayName\": \"System User\",\n \"email\": null,\n \"delegatedUserId\": null,\n \"delegatedUserPlatformId\": null,\n \"delegatedUserName\": null,\n \"id\": \"00000000-0000-0000-0000-000000000050\",\n \"platformId\": \"00000000-0000-0000-0000-000000000050\",\n \"internalId\": null,\n \"idType\": \"platformid\",\n \"type\": \"system\",\n \"name\": \"systemuser\",\n \"additionalAttributes\": null\n },\n \"target\": {\n \"host\": {\n \"machineName\": \"anon-host\",\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": null,\n \"domain\": null,\n \"ipAddress\": null,\n \"socket\": null,\n \"macAddress\": null,\n \"port\": \"22\",\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": null\n },\n \"displayName\": \"anon-host\",\n \"containerId\": null,\n \"containerName\": null,\n \"containerType\": null,\n \"id\": \"anon-host\",\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": \"hostname\",\n \"type\": \"machine\",\n \"name\": \"anon-host\",\n \"additionalAttributes\": {\n \"protocol\": [\"ssh\"],\n \"secret_id\": [\"4\"],\n \"secret_name\": [\"item_anon\"],\n \"site_id\": [\"00000000-0000-0000-0000-000000000060\"],\n \"site_name\": [\"Anon_Site\"],\n \"user_name\": [\"user@example.com\"]\n }\n },\n \"eventType\": {\n \"name\": \"Delinea.RAS.Session.ClosedByTimeout\",\n \"internalName\": \"\",\n \"account\": null,\n \"verb\": null,\n \"targetType\": null,\n \"level\": \"PrivilegedActivity\",\n \"additionalAttributes\": null\n },\n \"processedTime\": \"2025-09-18T13:26:19.9443601+00:00\",\n \"additionalAttributes\": {\n \"tunnelId\": [\"00000000-0000-0000-0000-000000000061\"]\n }\n}",
"event": {
"action": "Delinea.RAS.Session.ClosedByTimeout",
"category": [
"authentication"
],
"dataset": "PrivilegedActivity",
"provider": "Remote Access",
"reason": "Session closed by system after timing out.",
"type": [
"end"
]
},
"@timestamp": "2025-09-18T13:26:19.658905Z",
"destination": {
"port": 22
},
"host": {
"ip": "10.0.0.1"
},
"log": {
"level": "PrivilegedActivity"
},
"observer": {
"product": "Delinea PRA",
"type": "Remote Access",
"vendor": "Delinea"
},
"organization": {
"id": "00000000-0000-0000-0000-000000000010"
},
"related": {
"ip": [
"10.0.0.1"
],
"user": [
"systemuser"
]
},
"source": {
"address": "10.0.0.1",
"ip": "10.0.0.1"
},
"user": {
"full_name": "System User",
"name": "systemuser"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "Mozilla/5.0 (AnonOS)",
"os": {
"name": "Other"
}
}
}
{
"message": "{\n \"eventMessageId\": \"00000000-0000-0000-0000-000000000004\",\n \"tenantId\": \"00000000-0000-0000-0000-000000000010\",\n \"notes\": \"{\\\"machineName\\\":\\\"anon-worker-2\\\",\\\"machineTimeZone\\\":\\\"Coordinated Universal Time\\\",\\\"product\\\":\\\"Secret Server\\\",\\\"schemaVersion\\\":\\\"https://schema.delinea.app/secretserver/schema.v1.json\\\",\\\"itemName\\\":\\\"item_anon\\\",\\\"itemNameForDisplay\\\":\\\"item_anon\\\",\\\"byUser\\\":\\\"user@example.com\\\",\\\"byUserDisplayName\\\":\\\"API User\\\",\\\"delegatedUserName\\\":null,\\\"delegatedUserDisplayName\\\":null,\\\"byUserEmailAddress\\\":null,\\\"delegatedUserPlatformId\\\":null,\\\"eventAction\\\":\\\"LAUNCH\\\",\\\"eventEntityType\\\":\\\"SECRET\\\",\\\"containerName\\\":null,\\\"byUserPlatformId\\\":null,\\\"eventLevel\\\":2,\\\"itemPlatformId\\\":null,\\\"targetUserId\\\":null,\\\"targetUserName\\\":null,\\\"targetUserDisplayName\\\":null,\\\"targetUserPlatformId\\\":null,\\\"eventQueueId\\\":1006,\\\"eventEntityTypeId\\\":10001,\\\"eventActionId\\\":10006,\\\"userId\\\":0,\\\"delegatedUserId\\\":null,\\\"itemId\\\":4,\\\"containerId\\\":0,\\\"eventTime\\\":\\\"0001-01-01T00:00:00\\\",\\\"eventDetails\\\":\\\"PuTTY Host: [anon-host] Username: [anon_user] Account Name: anon_account Target Server: anon-host\\\",\\\"ipAddress\\\":\\\"10.0.0.2\\\",\\\"eventDataObject\\\":null,\\\"additionalData\\\":null,\\\"additionalDataDictionary\\\":{},\\\"fieldChangesCollection\\\":null}\",\n \"fieldChanges\": null,\n \"displayMessage\": \"A secret was launched by user@example.com.\",\n \"level\": \"PrivilegedActivity\",\n \"eventDateTime\": \"2025-09-18T13:25:29.643+00:00\",\n \"tags\": null,\n \"analyticData\": null,\n \"sessionId\": null,\n \"isSystem\": false,\n \"service\": {\n \"type\": \"Secret Server\",\n \"version\": \"11.7.000055\",\n \"identifier\": \"00000000-0000-0000-0000-000000000020\"\n },\n \"source\": {\n \"host\": {\n \"machineName\": null,\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": \"ipaddress\",\n \"domain\": null,\n \"ipAddress\": \"10.0.0.2\",\n \"socket\": null,\n \"macAddress\": null,\n \"port\": null,\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": null\n },\n \"displayName\": null,\n \"id\": null,\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": null,\n \"name\": null,\n \"additionalAttributes\": null\n },\n \"actor\": {\n \"displayName\": \"API User\",\n \"email\": \"user@example.com\",\n \"delegatedUserId\": null,\n \"delegatedUserPlatformId\": null,\n \"delegatedUserName\": null,\n \"id\": \"00000000-0000-0000-0000-000000000030\",\n \"platformId\": \"00000000-0000-0000-0000-000000000030\",\n \"internalId\": \"5\",\n \"idType\": \"platformid\",\n \"type\": \"user\",\n \"name\": \"user@example.com\",\n \"additionalAttributes\": null\n },\n \"target\": {\n \"host\": {\n \"machineName\": null,\n \"network\": null,\n \"client\": null\n },\n \"displayName\": \"4\",\n \"containerId\": null,\n \"containerName\": null,\n \"containerType\": null,\n \"id\": \"4\",\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": \"SECRET\",\n \"name\": \"4\",\n \"additionalAttributes\": null\n },\n \"eventType\": {\n \"name\": \"Delinea.Vault.Secret.RemoteSession.Launched\",\n \"internalName\": \"10006\",\n \"account\": null,\n \"verb\": null,\n \"targetType\": null,\n \"level\": \"SecurityAudit\",\n \"additionalAttributes\": null\n },\n \"processedTime\": \"2025-09-18T13:25:53.7481291+00:00\",\n \"additionalAttributes\": {\n \"eventmessageguid\": [\"00000000-0000-0000-0000-000000000070\"]\n }\n}",
"event": {
"action": "Delinea.Vault.Secret.RemoteSession.Launched",
"category": [
"process"
],
"dataset": "SecurityAudit",
"kind": "alert",
"provider": "Secret Server",
"reason": "A secret was launched by user@example.com.",
"type": [
"start"
]
},
"@timestamp": "2025-09-18T13:25:29.643000Z",
"host": {
"ip": "10.0.0.2"
},
"log": {
"level": "PrivilegedActivity"
},
"network": {
"transport": "ipaddress"
},
"observer": {
"product": "Delinea PRA",
"serial_number": "00000000-0000-0000-0000-000000000020",
"type": "Secret Server",
"vendor": "Delinea",
"version": "11.7.000055"
},
"organization": {
"id": "00000000-0000-0000-0000-000000000010"
},
"related": {
"ip": [
"10.0.0.2"
],
"user": [
"user@example.com"
]
},
"source": {
"address": "10.0.0.2",
"ip": "10.0.0.2"
},
"user": {
"email": "user@example.com",
"full_name": "API User",
"name": "user@example.com"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:03.556085721+02:00\",\"level\":\"INFO\",\"msg\":\"client jdoe initialized\",\"who\":\"jdoe\",\"engine_id\":\"testEngineId\",\"clientmgr_version\":\"v1.0.64\",\"workload_version\":\"1.0.33-1753078549\",\"host_os\":\"linux\",\"host_id\":\"testHostId\",\"site_id\":\"testSiteId\"}",
"event": {
"category": [
"network"
],
"reason": "client jdoe initialized",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:03.556085Z",
"delinea": {
"pra": {
"engine": {
"id": "testEngineId"
},
"site": {
"id": "testSiteId"
}
}
},
"host": {
"id": "testHostId",
"os": {
"type": "linux"
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:08.76174172+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: done\",\"who\":\"jdoe\",\"engine_id\":\"a2e2fb3f-2e39-4bdb-9c7b-123123213123213\",\"tenant_url\":\"https://test.example.org/\"}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: done",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:08.761741Z",
"delinea": {
"pra": {
"engine": {
"id": "a2e2fb3f-2e39-4bdb-9c7b-123123213123213"
}
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
},
"url": {
"domain": "test.example.org",
"original": "https://test.example.org/",
"path": "/",
"port": 443,
"registered_domain": "example.org",
"scheme": "https",
"subdomain": "test",
"top_level_domain": "org"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:22.279201135+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: TLS handshake done\",\"who\":\"jdoe\",\"engine_id\":\"a2e2fb3f-2e39-4bdb-9c7b-123123123\",\"tls_version\":\"TLS 1.3\",\"error\":null}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: TLS handshake done",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:22.279201Z",
"delinea": {
"pra": {
"engine": {
"id": "a2e2fb3f-2e39-4bdb-9c7b-123123123"
}
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
},
"tls": {
"version": "1.3"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:22.279201135+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: TLS handshake done\",\"who\":\"jdoe\",\"engine_id\":\"a2e2fb3f-2e39-4bdb-9c7b-123123123\",\"tls_version\":\"TLS 1.3\",\"error\":\"Test Error\"}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: TLS handshake done",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:22.279201Z",
"delinea": {
"pra": {
"engine": {
"id": "a2e2fb3f-2e39-4bdb-9c7b-123123123"
}
}
},
"error": {
"message": "Test Error"
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
},
"tls": {
"version": "1.3"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:24.418188294+02:00\",\"level\":\"INFO\",\"msg\":\"clientmgr start\",\"version\":\"v1.0.64\",\"build\":\"20250717113850\"}",
"event": {
"category": [
"network"
],
"reason": "clientmgr start",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:24.418188Z",
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:00.403454991+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: DNS start\",\"who\":\"jdoe\",\"engine_id\":\"123123123-2e39-4bdb-9c7b-123123123\",\"host\":\"test.example.org\"}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: DNS start",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:00.403454Z",
"delinea": {
"pra": {
"engine": {
"id": "123123123-2e39-4bdb-9c7b-123123123"
}
}
},
"host": {
"name": "test.example.org"
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:00.403362678+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: get connection\",\"who\":\"jdoe\",\"engine_id\":\"123123123-2e39-4bdb-9c7b-123123123\",\"host_port\":\"test.example.org:443\"}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: get connection",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:00.403362Z",
"delinea": {
"pra": {
"engine": {
"id": "123123123-2e39-4bdb-9c7b-123123123"
}
}
},
"host": {
"name": "test.example.org"
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:00.427869116+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: connect start\",\"who\":\"jdoe\",\"engine_id\":\"123123123-2e39-4bdb-9c7b-123123123\",\"network\":\"tcp\",\"addr\":\"1.2.3.4:443\"}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: connect start",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:00.427869Z",
"delinea": {
"pra": {
"engine": {
"id": "123123123-2e39-4bdb-9c7b-123123123"
}
}
},
"log": {
"level": "INFO"
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"jdoe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 443,
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:00.427766647+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: DNS done\",\"who\":\"jdoe\",\"engine_id\":\"123123123-2e39-4bdb-9c7b-123123123\",\"addrs\":[{\"IP\":\"1.2.3.4\",\"Zone\":\"\"}],\"err\":null}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: DNS done",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:00.427766Z",
"delinea": {
"pra": {
"engine": {
"id": "123123123-2e39-4bdb-9c7b-123123123"
}
}
},
"host": {
"ip": "1.2.3.4"
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:26.250961267+02:00\",\"level\":\"INFO\",\"msg\":\"received registrar response\",\"who\":\"jdoe\",\"engine_id\":\"testEngineId\",\"http_status\":\"200 OK\"}",
"event": {
"category": [
"network"
],
"reason": "received registrar response",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:26.250961Z",
"delinea": {
"pra": {
"engine": {
"id": "testEngineId"
}
}
},
"http": {
"response": {
"status_code": 200
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:26.25176562+02:00\",\"level\":\"INFO\",\"msg\":\"tracking parent process\",\"ppid\":112802}",
"event": {
"category": [
"network"
],
"reason": "tracking parent process",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:26.251765Z",
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"process": {
"parent": {
"pid": 112802
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:26.252049232+02:00\",\"level\":\"INFO\",\"msg\":\"tracking parent process: switching to polling\",\"error\":\"waitid: no child processes\",\"ppid\":112802}",
"event": {
"category": [
"network"
],
"reason": "tracking parent process: switching to polling",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:26.252049Z",
"error": {
"message": "waitid: no child processes"
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"process": {
"parent": {
"pid": 112802
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:26.252153218+02:00\",\"level\":\"INFO\",\"msg\":\"connecting with engine jdoe service\",\"who\":\"jdoe\",\"engine_id\":\"testEngineId\"}",
"event": {
"category": [
"network"
],
"reason": "connecting with engine jdoe service",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:26.252153Z",
"delinea": {
"pra": {
"engine": {
"id": "testEngineId"
}
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:26.41960967+02:00\",\"level\":\"INFO\",\"msg\":\"already registered\",\"registration-id\":\"de7e550e-82c2-4be5-ad66-0000000000000\"}",
"event": {
"category": [
"network"
],
"reason": "already registered",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:26.419609Z",
"delinea": {
"pra": {
"registration": {
"id": "de7e550e-82c2-4be5-ad66-0000000000000"
}
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:26.971561057+02:00\",\"level\":\"INFO\",\"msg\":\"successfully obtained the auth token\",\"scope\":\"xpmheadless\"}",
"event": {
"category": [
"network"
],
"reason": "successfully obtained the auth token",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:26.971561Z",
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:27.48160835+02:00\",\"level\":\"INFO\",\"msg\":\"successfully connected with engine jdoe service\",\"who\":\"jdoe\",\"engine_id\":\"testEngineId\"}",
"event": {
"category": [
"network"
],
"reason": "successfully connected with engine jdoe service",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:27.481608Z",
"delinea": {
"pra": {
"engine": {
"id": "testEngineId"
}
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
}
}
{
"message": "{\"time\":\"2025-08-06T09:50:08.76174172+02:00\",\"level\":\"INFO\",\"msg\":\"connectivity check: done\",\"who\":\"jdoe\",\"engine_id\":\"a2e2fb3f-2e39-4bdb-9c7b-123123213123213\",\"tenant_url\":\"https://test.example.org/\"}",
"event": {
"category": [
"network"
],
"reason": "connectivity check: done",
"type": [
"info"
]
},
"@timestamp": "2025-08-06T07:50:08.761741Z",
"delinea": {
"pra": {
"engine": {
"id": "a2e2fb3f-2e39-4bdb-9c7b-123123213123213"
}
}
},
"log": {
"level": "INFO"
},
"observer": {
"product": "Delinea PRA",
"vendor": "Delinea"
},
"related": {
"user": [
"jdoe"
]
},
"source": {
"user": {
"name": "jdoe"
}
},
"url": {
"domain": "test.example.org",
"original": "https://test.example.org/",
"path": "/",
"port": 443,
"registered_domain": "example.org",
"scheme": "https",
"subdomain": "test",
"top_level_domain": "org"
}
}
{
"message": "{\n \"eventMessageId\": \"00000000-0000-0000-0000-000000000000\",\n \"tenantId\": \"11111111-1111-1111-1111-111111111111\",\n \"notes\": null,\n \"fieldChanges\": null,\n \"displayMessage\": \"Login for user j.doe@test started.\",\n \"level\": \"SecurityAudit\",\n \"eventDateTime\": \"2025-12-15T14:30:25.2145828+00:00\",\n \"tags\": null,\n \"analyticData\": null,\n \"sessionId\": \"22222222-2222-2222-2222-222222222222\",\n \"isSystem\": false,\n \"service\": {\n \"type\": \"Identity\",\n \"version\": null,\n \"identifier\": null\n },\n \"source\": {\n \"host\": {\n \"machineName\": null,\n \"network\": {\n \"id\": null,\n \"name\": null,\n \"address\": null,\n \"addressType\": \"ipaddress\",\n \"domain\": null,\n \"ipAddress\": \"4.5.6.7\",\n \"socket\": null,\n \"macAddress\": null,\n \"port\": null,\n \"lon\": null,\n \"lat\": null,\n \"geo\": {\n \"cityName\": null,\n \"countryIsoCode\": null,\n \"timeZone\": null\n },\n \"carrier\": null\n },\n \"client\": {\n \"type\": null,\n \"operatingSystem\": null,\n \"mobileApp\": null,\n \"userAgent\": \"Python/3.11 aiohttp/3.12.15\"\n }\n },\n \"displayName\": \"1.2.3.4\",\n \"id\": \"1.2.3.4\",\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": \"ClientIPAddress\",\n \"type\": \"Web\",\n \"name\": \"1.2.3.4\",\n \"additionalAttributes\": null\n },\n \"actor\": {\n \"displayName\": \"j.doe@test\",\n \"email\": null,\n \"delegatedUserId\": null,\n \"delegatedUserPlatformId\": null,\n \"delegatedUserName\": null,\n \"id\": \"33333333-3333-3333-3333-333333333333\",\n \"platformId\": \"33333333-3333-3333-3333-333333333333\",\n \"internalId\": null,\n \"idType\": \"platformid\",\n \"type\": \"user\",\n \"name\": \"j.doe@test\",\n \"additionalAttributes\": null\n },\n \"target\": {\n \"host\": {\n \"machineName\": null,\n \"network\": null,\n \"client\": null\n },\n \"displayName\": null,\n \"containerId\": null,\n \"containerName\": null,\n \"containerType\": null,\n \"id\": null,\n \"platformId\": null,\n \"internalId\": null,\n \"idType\": null,\n \"type\": null,\n \"name\": null,\n \"additionalAttributes\": null\n },\n \"eventType\": {\n \"id\": 133,\n \"name\": \"Delinea.Identity.AuthSession.SessionStart\",\n \"internalName\": \"Cloud.AuditService.AuthSession.SessionStart\",\n \"account\": null,\n \"verb\": null,\n \"targetType\": null,\n \"level\": \"SecurityAudit\",\n \"additionalAttributes\": null\n },\n \"processedTime\": \"2025-12-15T14:30:25.8114154+00:00\",\n \"additionalAttributes\": {\n \"Expires\": [\n \"12/16/2025 2:30:25\u202fAM\"\n ],\n \"AuthFactors\": [\n \"\"\n ],\n \"AzRoleId\": [\n \"Web.publicapifortokens-557dcf997d-gr2lc\"\n ],\n \"AuthMethod\": [\n \"None\"\n ],\n \"ThreadType\": [\n \"RestCall\"\n ],\n \"Started\": [\n \"1/1/0001 12:00:00\u202fAM\"\n ],\n \"Tenant\": [\n \"11111111-1111-1111-1111-111111111111\"\n ],\n \"InternalTrackingID\": [\n \"99999999999999999999999999999999\"\n ],\n \"AzRoleName\": [\n \"WebRole\"\n ],\n \"DirectoryServiceUuid\": [\n \"44444444-4444-4444-4444-444444444444\"\n ],\n \"Level\": [\n \"Info\"\n ],\n \"AzDeploymentId\": [\n \"7.4.218\"\n ],\n \"ClientIPAddress\": [\n \"1.2.3.4\"\n ],\n \"WhenLogged\": [\n \"12/15/2025 2:30:25\u202fPM\"\n ],\n \"RequestIsMobileDevice\": [\n \"False\"\n ]\n }\n}\n",
"event": {
"action": "Delinea.Identity.AuthSession.SessionStart",
"category": [
"authentication"
],
"code": "133",
"dataset": "SecurityAudit",
"kind": "alert",
"provider": "Identity",
"reason": "Login for user j.doe@test started.",
"type": [
"start"
]
},
"@timestamp": "2025-12-15T14:30:25.214582Z",
"host": {
"ip": "4.5.6.7",
"name": "1.2.3.4"
},
"log": {
"level": "SecurityAudit"
},
"network": {
"transport": "ipaddress"
},
"observer": {
"product": "Delinea PRA",
"type": "Identity",
"vendor": "Delinea"
},
"organization": {
"id": "11111111-1111-1111-1111-111111111111"
},
"related": {
"ip": [
"4.5.6.7"
],
"user": [
"j.doe@test"
]
},
"source": {
"address": "4.5.6.7",
"ip": "4.5.6.7"
},
"user": {
"full_name": "j.doe@test",
"name": "j.doe@test"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Python aiohttp",
"original": "Python/3.11 aiohttp/3.12.15",
"os": {
"name": "Other"
},
"version": "3.12.15"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
delinea.pra.engine.id |
keyword |
The unique identifier for the engine that processed the request. |
delinea.pra.registration.id |
keyword |
The unique identifier for the registration associated with the event. |
delinea.pra.site.id |
keyword |
The unique identifier for the site where the event originated. |
destination.address |
keyword |
Destination network address. |
destination.domain |
keyword |
The domain name of the destination. |
destination.ip |
ip |
IP address of the destination. |
destination.port |
long |
Port of the destination. |
error.message |
match_only_text |
Error message. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.code |
keyword |
Identification code for this event. |
event.dataset |
keyword |
Name of the dataset. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.provider |
keyword |
Source of the event. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.severity |
long |
Numeric severity of the event. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
host.hostname |
keyword |
Hostname of the host. |
host.id |
keyword |
Unique host id. |
host.ip |
ip |
Host ip addresses. |
host.name |
keyword |
Name of the host. |
host.os.type |
keyword |
Which commercial OS family (one of: linux, macos, unix or windows). |
http.response.status_code |
long |
HTTP response status code. |
log.level |
keyword |
Log level of the log event. |
network.transport |
keyword |
Protocol Name corresponding to the field iana_number. |
observer.product |
keyword |
The product name of the observer. |
observer.serial_number |
keyword |
Observer serial number. |
observer.type |
keyword |
The type of the observer the data is coming from. |
observer.vendor |
keyword |
Vendor name of the observer. |
observer.version |
keyword |
Observer version. |
organization.id |
keyword |
Unique identifier for the organization. |
process.parent.pid |
long |
Process id. |
source.address |
keyword |
Source network address. |
source.domain |
keyword |
The domain name of the source. |
source.geo.city_name |
keyword |
City name. |
source.geo.country_iso_code |
keyword |
Country ISO code. |
source.geo.timezone |
keyword |
Time zone. |
source.ip |
ip |
IP address of the source. |
source.mac |
keyword |
MAC address of the source. |
source.port |
long |
Port of the source. |
source.user.name |
keyword |
Short name or login of the user. |
tls.version |
keyword |
Numeric part of the version parsed from the original string. |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
user.email |
keyword |
User email address. |
user.full_name |
keyword |
User's full name, if available. |
user.name |
keyword |
Short name or login of the user. |
user_agent.original |
keyword |
Unparsed user_agent string. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.