Supported Logging Events
The integration supports the following events by default:
| CONFIGURATION - EDIT | The main DelineaSecret Server configuration has been edited | 10 | 19001 |
| FOLDER - CREATE | A Folder has been created | 2 | 19001 |
| FOLDER - DELETE | A Folder has been deleted | 5 | 19001 |
| FOLDER - EDIT PERMISSIONS | The configuration has been edited | 10 | 19001 |
| FOLDER - SECRET POLICY CHANGE | The policy assigned to a folder has been changed | 6 | 19001 |
| FOLDER - SECRET POLICY CHANGE | The Secret policy assigned to a folder has been changed | 8 | 19001 |
| GROUP - OWNERS MODIFIED | The owners of a group have been modified | 5 | 19001 |
| LICENSE - EXPIRES 30 DAYS | Secret Servers license will expire in 30 days | 1 | 19001 |
| POWERSHELL SCRIPT - CREATE | A PowerShell script has been created | 5 | 19001 |
| POWERSHELL SCRIPT - DEACTIVATE | A PowerShell script has been deactivated | 5 | 19001 |
| POWERSHELL SCRIPT - EDIT | A PowerShell script has been edited | 8 | 19001 |
| POWERSHELL SCRIPT - REACTIVATE | A PowerShell script has been reactivated | 6 | 19001 |
| POWERSHELL SCRIPT - VIEW | A PowerShell script has been viewed | 5 | 19001 |
| ROLE - ASSIGN USER OR GROUP | A role has been assigned to a user or group | 5 | 19001 |
| ROLE - CREATE | A role has been created | 5 | 19001 |
| ROLE - UNASSIGN USER OR GROUP | A role has been unassigned to a user or group | 5 | 19001 |
| ROLE PERMISSION - ADDED TO ROLE | A permission has been added to a role | 5 | 19001 |
| ROLE PERMISSION - REMOVED FROM ROLE | A permission has been removed from a role | 5 | 19001 |
| SECRET - ACCESS APPROVED | Access to a Secret has been approved | 2 | 19001 |
| SECRET - ACCESS DENIED | Access to a Secret has been denied | 6 | 19001 |
| SECRET - CHECKIN | A Secret has been checked in | 1 | 19001 |
| SECRET - CHECKOUT | A Secret has been checked out | 5 | 19001 |
| SECRET - COPY | A Secret has been copied | 1 | 19001 |
| SECRET - CREATE | A Secret has been created | 1 | 19001 |
| SECRET - CUSTOM AUDIT | A custom audit has been created | 1 | 19001 |
| SECRET - CUSTOM REQUIREMENT ADDED | A custom password requirement has been added to a Secret | 2 | 19001 |
| SECRET - CUSTOM REQUIREMENT REMOVED | A custom password requirement has been removed from a Secret | 6 | 19001 |
| SECRET - DELETE | A Secret has been deleted | 5 | 19001 |
| SECRET - DEPENDENCY ADDED | A dependency has been added | 8 | 19001 |
| SECRET - DEPENDENCY FAILURE | A dependency is missing | 5 | 19001 |
| SECRET - DEPENDENCY REMOVED | A dependency has been removed | 8 | 19001 |
| SECRET - EDIT | A Secret has been edited | 5 | 19001 |
| SECRET - EDIT VIEW | A Secrets view option has been edited | 8 | 19001 |
| SECRET - EXPIRES 1 DAY | A Secret expires in 1 day | 5 | 19001 |
| SECRET - EXPIRES 15 DAYS | A Secret expires in 15 days | 1 | 19001 |
| SECRET - EXPIRES 3 DAYS | A Secret expires in 3 days | 1 | 19001 |
| SECRET - EXPIRES 7 DAYS | A Secret expires in 7 days | 1 | 19001 |
| SECRET - EXPIRES TODAY | A Secret expires today | 1 | 19001 |
| SECRET - HEARTBEAT FAILURE | Heartbeat has not been detected for over 10 seconds | 5 | 19001 |
| SECRET - HEARTBEATSUCCESS | Heartbeat has been detected | 1 | 19001 |
| SECRET - HOOK CREATE | A hook has been created | 3 | 19001 |
| SECRET - HOOK DELETE | A hook has been deleted | 8 | 19001 |
| SECRET - HOOK EDIT | A hook has been edited | 6 | 19001 |
| SECRET - HOOKFAILURE | A hook has failed to initialise a PowerShell script | 8 | 19001 |
| SECRET - HOOKSUCCESS | A hook has successfully initialised a PowerShell script | 1 | 19001 |
| SECRET - LAUNCH | A Secret has been launched | 1 | 19001 |
| SECRET - PASSWORD COPIED TO CLIPBOARD | A password has been copied to the clipboard | 5 | 19001 |
| SECRET - PASSWORD_DISPLAYED | A Secret password has been displayed | 5 | 19001 |
| SECRET - SECRET POLICY CHANGE | The Secret policy assigned to a Secret has been changed | 8 | 19001 |
| SECRET - SESSION RECORDING VIEW | A Secret recording is being viewed | 5 | 19001 |
| SECRET - UNDELETE | A Secret has been restored | 1 | 19001 |
| SECRET - VIEW | A Secret has been viewed | 1 | 19001 |
| SECRET POLICY - CREATE | A Secret policy has been created | 1 | 19001 |
| SECRET POLICY - EDIT | A Secret policy has been edited | 6 | 19001 |
| SECRET TEMPLATE - COPY | A Secret template has been copied | 1 | 19001 |
| SECRET TEMPLATE - CREATE | A Secret template has been created | 1 | 19001 |
| SECRET TEMPLATE - EDIT | A Secret template has been edited | 1 | 19001 |
| SECRET TEMPLATE - FIELD ENCRYPTED | A field in a template has been encrypted | 1 | 19001 |
| SECRET TEMPLATE - FIELD EXPOSED | A field in a template has been exposed | 6 | 19001 |
| SECRETS EXPORTD | Secrets have been exported | 10 | 19001 |
| SECRETS IMPORTED | Secrets have been imported | 1 | 19001 |
| SYSTEM LOG | DelineaSecret Server system logs | 1 | 19001 |
| UNLIMITED ADMIN - DISABLED | Unlimited admin has been disabled | 10 | 19001 |
| UNLIMITED ADMIN - ENABLED | Unlimited admin has been enabled | 10 | 19001 |
| USER - ADDED TO GROUP | A user account has been added to a group | 8 | 19001 |
| USER - CREATE | A user account has been created | 5 | 19001 |
| USER - DISABLE | A user account has been disabled | 5 | 19001 |
| USER - ENABLE | A user account has been enabled | 5 | 19001 |
| USER - LOCKOUT | A user account has been locked out see payload for information | 10 | 19001 |
| USER - LOGIN | A user has logged on | 1 | 19001 |
| USER - LOGIN FAILURE | A user has entered an incorrect password | 8 | 19001 |
| USER - LOGOUT | A user has logged out | 1 | 19001 |
| USER - PASSWORD CHANGE | A users password has been changed | 8 | 19001 |
| USER - REMOVED FROM GROUP | A user account has been removed from a group | 5 | 19001 |
| USERAUDIT - EXPIRENOW | All Secrets a user has accessed have expired | 5 | 19001 |
If your event is not listed in the table above, please follow the steps below to add new events to the event log.
The QID or QRadar Identifier is what QRadar uses to give events their name, high-level category, and lowlevel category.
-
First create custom QIDs by SSH-ing into the QRadar console, change the directory to /opt/QRadar/bin and run the following command:
./qidmap_cli.sh -c --qname <name> --qdescription <description> --severity <severity> --lowlevelcategoryid <ID>For example:
./qidmap_cli.sh -c --qname “USER – LOGIN” --qdescription “A user as logged in.” --severity 1 --lowlevelcategoryid 19001
-
If you prefer, you can utilize a CSV list, as demonstrated in the Import List section, and use the following command to import multiple QIDs simultaneously:
/opt/QRadar/bin/qidmap_cli.sh -i -f <filename.txt>19001 is used for most of the low-level category IDs as an example.
-
Using the program sendnow, send the list of all events to your QRadar box in the .txt file you named (example: tss events all.txt) to generate every possible event. The events can be found in the Event List section below.
