Transcription
Integration GuideIntegrating Thycotic Secret Server withEventTrackerEventTracker v9.x and abovePublication Date:May 24, 2021 Copyright Netsurion. All Rights Reserved.1
AbstractThis guide provides instructions to configure/ retrieve Thycotic Secret Server logs via syslog. OnceEventTracker is configured to collect and parse these logs, dashboard and reports can be configured tomonitor Thycotic Secret Server.ScopeThe configuration details in this guide are consistent with EventTracker version v 9.x or above and ThycoticSecret Server (Cloud and On-Prem) version 10.9.AudienceAdministrators who are assigned the task to monitor Thycotic Secret Server events using EventTracker. Copyright Netsurion. All Rights Reserved.2
Table of ContentsTable of Contents .31.Overview .42.Prerequisites.43.Configuring Thycotic SS.43.1On Premise.43.2Cloud .54.Configuring EventTracker server to accept logs from Thycotic Secret Server .65.System Licensing .66.EventTracker Knowledge Pack.67.8.6.1Reports .66.2Alerts .86.3Dashboards .9Importing Thycotic SS knowledge pack into EventTracker . 127.1Categories . 137.2Alerts . 147.3Token Template . 157.4Reports . 167.5Knowledge Object. 187.6Dashboard. 18Verifying Thycotic SS knowledge pack in EventTracker. 208.1Categories . 208.2Alerts . 208.3Token Value . 208.4Knowledge Objects . 218.5Reports . 218.6Dashboard. 22About Netsurion . 24 Copyright Netsurion. All Rights Reserved.3
1. OverviewThycotic Secret Server (SS) is an enterprise-grade, privileged access management solution that is quicklydeployable and easily managed. With Thycotic SS, user can automatically discover and manage theirprivileged accounts through an intuitive interface, protecting against malicious activity, across theenterprise.EventTracker helps to monitor events from Thycotic SS. EventTracker reports, alerts, and dashboards willhelp you to analyze the activity logs such as, user management, secret view/delete, heartbeat failure, etc.Reports are provided to get a detailed summary of events during specific time. This contains criticalinformation such as time of occurrence of events, user source IP and action taken by user.Dashboards are basically a graphical representation of the events, which allows administrators to take anoverview of key information found such as total number or percentage of audit events or operationalevents. Alerts, such as, secret heartbeat failure or unsuccessful login attempts, will be triggered in real timeto let administrators know, critical events are occurring within their networks.2. Prerequisites Admin access to Thycotic Secret Server platform.EventTracker server IP address. (If Thycotic SS is cloud, the public IP is required.)EventTracker server port. E.g. 514 or 6514.Enable TLS on EventTracker Manager in case of syslog TCP connection.3. Configuring Thycotic SS3.1 On PremiseThe steps provided below will help to configure Thycotic SS (On-prem) via syslog to help forward logs toEventTracker servers.1.2.3.4.Login to your Thycotic SS platform.Navigate to Administration Configuration.Select the General tab and click the Edit button.Check the Enable Syslog/CEF Logging check box. Three additional textboxes or lists appear:a. Syslog/CEF Server: IP address or name of the EventTracker server.b. Syslog/CEF Port: Server port for sent events. E.g., 514.c. Syslog/CEF Protocol: Select UDP.d. Syslog/CEF Time Zone: UTC Time or Server Time, depending on your preference.5. Complete or configure those controls.6. Click Save. Copyright Netsurion. All Rights Reserved.4
3.2 CloudThe steps provided below will help to configure Thycotic SS (On-prem) via syslog to help forward logs toEventTracker servers.1.2.3.4.Login to your Thycotic SS platform.Navigate to Administration Configuration.Select the General tab and click on the Edit button.Check the Enable Syslog/CEF Logging check box. Three additional textboxes or lists appear:a. Syslog/CEF Server: IP address or name of the server. (Public IP address of syslog server)b. Syslog/CEF Port: Server port for sent events. E.g., 6514.c. Syslog/CEF Protocol: Either UDP or TCP.d. Syslog/CEF Time Zone: UTC Time or Server Time, depending on your preference.5. Complete or configure those controls.6. Click Save.If Secure TCP is selected as protocol, perform below steps:Note: Follow the below steps if you desire to encrypt the traffic. This also requires enabling the TLS inEventTracker manager as well.1. Navigate to Administration Configuration.2. Select the Security tab and click the Edit button.3. Go to TLS Auditing section and enable the option Apply TLS Certificate Chain Policy and ErrorAuditing.4. Page will reload and display additional option to be configured.5. Enable the checkbox for Ignore Certificate Revocation Failures. Copyright Netsurion. All Rights Reserved.5
4. Configuring EventTracker server to accept logs from ThycoticSecret Server1. Login to your EventTracker server and connect with the SQL server management studio.2. Import and Run the Enable logging.sql from the Integration package.5. System LicensingFor On-Prem, a single system will get created by the format of HostName syslog .For Cloud-based solution, multiple system with format IPAddress syslog may get created.6. EventTracker Knowledge PackOnce logs are received by EventTracker manager, Knowledge Packs can be configured into EventTracker.The following Knowledge Packs are available in EventTracker to support Thycotic SS.6.1 Reports Thycotic SS - User login fails: This report provides a detailed overview of all the failed login attemptsby any user. It contains information such as login timestamp, username, and source IP address. Thycotic SS - User login activities: This report provides a detailed overview of all the successful loginand logout activities performed by any user. It contains information such as login timestamp,username, and source IP. Copyright Netsurion. All Rights Reserved.6
Thycotic SS - Configuration Changes: This report provides a detailed overview of all the configurationchanges made by any user in Thycotic SS console. It contains information such as old and new values,username, and source IP along with the timestamp at which activity was performed. Thycotic SS - User and Group Management: This report provides a detailed overview of all the userand group management activities such as, user create/ delete, group create/delete, etc. It containsinformation such as user who made the changes, target user or group name, source IP, and eventtimestamp. Thycotic SS - Role Management: This report provides a detailed overview of all the role managementactivities, such as, user or group was assigned to a role, or role was disabled, etc. It containsinformation such as user who made the changes, target object name/type, source IP, and eventtimestamp. Thycotic SS - Secrets Management: This report provides a detailed overview of all the secretsmanagement activities, such as, secret has been created, secret has been viewed, secret was copied,etc. It contains information such as user who made the changes, target object name/type, source IP,and event timestamp. Copyright Netsurion. All Rights Reserved.7
Thycotic SS - Folder Management: This report provides a detailed overview of all the foldermanagement activities such as, folder has been created, folder has been deleted, folder's permissionshave been changed, etc. It contains information such as user who made the changes, target objectname/type, source IP, and event timestamp. Thycotic SS - Script Management: This report provides a detailed overview of all the scriptmanagement activities such as PowerShell script created/deleted, an SSH script created/deleted, etc.It contains information such as user who made the changes, target object name/type, source IP, andevent timestamp.6.2 Alerts Thycotic SS: A configuration change has been detected: This alert is triggered by EventTracker whenit detects an event that is flagged as configuration change made by any user.Thycotic SS: A failed user login has been detected: This alert is triggered when an event is detectedby EventTracker pointing towards a login failure attempt by any user.Thycotic SS: A folder permissions have been changed: This alert is triggered by EventTracker when itdetects a change in folder permissions.Thycotic SS: A role has been assigned to a user or group: This alert is triggered by EventTracker whena user or group is assigned a new role.Thycotic SS: A role has been removed from a user or group: This alert is triggered by EventTrackerwhen role is removed from a user or a group.Thycotic SS: A SECRET has expired today: This alert is triggered by EventTracker when a SECRET isexpired.Thycotic SS: A user password has been changed: This alert is triggered by EventTracker when a userhas changed password. Copyright Netsurion. All Rights Reserved.8
6.3 Dashboards Thycotic SS - Top Event Types. Thycotic SS - Top Login Fail by Source UserName. Copyright Netsurion. All Rights Reserved.9
Thycotic SS - Top Login Success by Source UserName. Thycotic SS - User and Group Management. Copyright Netsurion. All Rights Reserved.10
Thycotic SS - Top Heartbeat failures by Secret Name. Thycotic SS - Secrets viewed in last 24 hours. Copyright Netsurion. All Rights Reserved.11
Thycotic SS - Secrets Management.7. Importing Thycotic SS knowledge pack into EventTrackerNOTE: Import knowledge pack items in the following sequence: Categories Alerts Token Template Knowledge Objects Flex Reports Dashboard1. Launch the EventTracker Control Panel.2. Double click Export-Import Utility. Copyright Netsurion. All Rights Reserved.12
3. Click the Import tab.7.1 Categories1. Once you have opened Export Import Utility via EventTracker Control Panel, click the Categoryoption, and then click the browse.2. Navigate to the knowledge pack folder and select the file with extension “.iscat”, e.g.,“Categories Thycotic SS.iscat” and then click on the Import button. Copyright Netsurion. All Rights Reserved.13
EventTracker displays a success message:7.2 Alerts1. Once you have opened Export Import Utility via EventTracker Control Panel, click Alert option, andthen click the browse button.2. Navigate to the knowledge pack folder and select the file with extension “.isalt”, e.g.,Alerts Thycotic SS.isalt and then click on the Import button. Copyright Netsurion. All Rights Reserved.14
EventTracker displays a success message:7.3 Token TemplateFor importing Token Template, navigate to EventTracker manager web interface.1. Click Parsing Rules under the Admin option in the EventTracker manager web interface:2. Click the Template tab and then click the Import Configuration button. Copyright Netsurion. All Rights Reserved.15
3. Click Browse button and navigate to the knowledge packs folder (type%et install path%\Knowledge Packs in navigation bar) where “.ettd”, e.g., “TokenTemplates Thycotic SS.ettd file is located. Wait for few seconds, as templates will be loaded. Onceyou see the templates, click desired template, and click Import button:7.4 Reports1. In EventTracker Control Panel, select Export/ Import utility and select the Import tab. Then, clickReports option, and Choose New (*.etcrx): Copyright Netsurion. All Rights Reserved.16
2. Once you have selected New (*.etcrx), a new pop-up window will appear. Click on the Select Filebutton and navigate to the file path with a file having the extension “.etcrx”, e.g., Reports ThycoticSS.etcrx.3. Wait while reports are being populated in below tables. Select all the relevant reports and then clickImportbutton:4. EventTracker displays a success message: Copyright Netsurion. All Rights Reserved.17
7.5 Knowledge Object1. Click Knowledge objects under the Admin option in the EventTracker manager page.2. Click on the import object icon:3. A pop-up box appears, click Browse in that and navigate to knowledge packs folder (type%et install path%\Knowledge Packs in navigation bar) with the extension “.etko”, e.g., KO ThycoticSS.etko and then click Upload.4.List of available knowledge object will appear. Select the relevant files and click on Import button:7.6 Dashboard1. Login to EventTracker.2. Navigate to Dashboard My Dashboard. Copyright Netsurion. All Rights Reserved.18
3. In My Dashboard, Click on Import Button:4. Select the browse button and navigate to knowledge pack folder (type%et install path%\Knowledge Packs in navigation bar) where .etwd, e.g., Dashboards ThycoticSS.etwd is saved and click Upload.5. Wait while EventTracker populates all the available dashboards. Choose Select All and click on ImportButton: Copyright Netsurion. All Rights Reserved.19
8. Verifying Thycotic SS knowledge pack in EventTracker8.1 Categories1. Login to EventTracker.2. Click Admin dropdown, and then click Categories.3. In Category Tree to view imported categories, scroll down and expand Thycotic Secret Server groupfolder to view the imported categories.8.2 Alerts1. In the EventTracker web interface, click the Admin dropdown, and then click Alerts.2. In search box enter Thycotic SS and then click the Search button.EventTracker displays an alert of Thycotic Secret Server.8.3 Token Value1. In the EventTracker web interface, click the Admin dropdown, and then click Template. Copyright Netsurion. All Rights Reserved.20
2. In the Template tab, click on the Thycotic Secret Server group folder to view the imported TokenValues.8.4 Knowledge Objects1. In the EventTracker web interface, click the Admin dropdown, and then click Knowledge Objects.2. In the Knowledge Object tree, expand the Thycotic Secret Server group folder to view the importedKnowledge objects.8.5 Reports1. In the EventTracker web interface, click the Reports menu, and then select the Report Configuration.2. In Reports Configuration pane, select the Defined option.3. Click on the Thycotic Secret Server group folder to view the imported reports. Copyright Netsurion. All Rights Reserved.21
8.6 Dashboard1. In the EventTracker web interface, Click on Home Button2. Select Customize daslets button. Copyright Netsurion. All Rights Reserved.and select My Dashboard.and type Thycotic in the search bar.22
Copyright Netsurion. All Rights Reserved.23
About NetsurionFlexibility and security within the IT environment are two of the most important factors driving businesstoday. Netsurion’s cybersecurity platforms enable companies to deliver on both. Netsurion’s approach ofcombining purpose-built technology and an ISO-certified security operations center gives customers theultimate flexibility to adapt and grow, all while maintaining a secure environment.Netsurion’s EventTracker cyber threat protection platform provides SIEM, endpoint protection, vulnerabilityscanning, intrusion detection and more; all delivered as a managed or co-managed service.Netsurion’s BranchSDO delivers purpose-built technology with optional levels of managed services to multilocation businesses that optimize network security, agility, resilience, and compliance for branch locations.Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has themodel to help drive your business forward. To learn more visit netsurion.com or follow uson Twitter or LinkedIn. Netsurion is #19 among MSSP Alert’s 2020 Top 250 MSSPs.Contact UsCorporate HeadquartersNetsurionTrade Centre South100 W. Cypress Creek RdSuite 530Fort Lauderdale, FL 33309Contact NumbersEventTracker Enterprise SOC: 877-333-1433 (Option 2)EventTracker Enterprise for MSP’s SOC: 877-333-1433 (Option 3)EventTracker Essentials SOC: 877-333-1433 (Option 4)EventTracker Software Support: 877-333-1433 (Option 5)https://www.netsurion.com/eventtracker-support Copyright Netsurion. All Rights Reserved.24
(If Thycotic SS is cloud, the public IP is required.) EventTracker server port. E.g. 514 or 6514. Enable TLS on EventTracker Manager in case of syslog TCP connection. 3. Configuring Thycotic SS 3.1 On Premise The steps provided below will help to configure Thycotic SS (On-prem) via syslog to help forward logs to EventTracker servers. 1.
