What Are Event Subscriptions?
Understanding the Secret Server notification engine
Definition
An Event Subscription in Delinea Secret Server is a configurable rule that monitors for specific system or secret-level activity and automatically delivers notifications to designated recipients — via email, Slack, Teams, or custom webhook — when that activity occurs.
Event Subscriptions form the heart of Secret Server's audit alerting capability. Instead of polling reports manually, subscriptions push the right information to the right people the moment it happens — reducing response time and supporting compliance requirements.
How It Works
Event Categories
Secret Events
View, edit, delete, check-out, launch session, copy password, expiry, heartbeat failure.
User Events
Login, logout, login failure, lockout, permission change, MFA events.
Folder Events
Folder creation, deletion, permission change, secret moved into/out of folder.
System Events
Configuration changes, role changes, discovery, backup, licence expiry.
Workflow Events
Access requests submitted, approved, denied, and expiration of workflow grants.
Heartbeat Events
Password validation success/failure, Remote Password Changer (RPC) results.
Finished reading Module 01?
Creating Event Subscriptions
Step-by-step walkthrough from navigation to save
Step-by-Step: Create a New Subscription
From the top menu go to Admin → Event Subscriptions. The Event Subscriptions management page will load showing all existing subscriptions.
Select the Create New button (top-right of the grid). This opens the New Event Subscription wizard.
Enter a descriptive name — e.g. Prod Vault — Critical Secret Viewed. Good naming conventions include scope, event type, and environment.
Expand the Events selector. Choose one or more event types from the categorised list. Each selected event creates a trigger condition for this subscription.
Apply scope filters to narrow the subscription:
• Secret Filter — scope to specific secrets by name or template.
• Folder Filter — restrict to secrets inside certain folders.
• Group Filter — only fire when the acting user belongs to a specified group.
• Container Filter — limit to a specific site or engine.
Click Add Recipient. Select from Users, Groups, or enter an external email address. You can mix all three recipient types on a single subscription.
Choose whether to Send Immediately (one email per event) or Batch notifications on a schedule (e.g. hourly digest). For high-volume events, batching is strongly recommended.
Ensure Active is toggled on, then click Save. The subscription immediately begins monitoring for matching events.
Key Configuration Fields
| Field | Required | Description |
|---|---|---|
| Name | Yes | Unique, descriptive name for the subscription. |
| Events | Yes | One or more event types that trigger the notification. |
| Filters | Optional | Scope limiting criteria: folder, secret, group, or site. |
| Recipients | Yes | Users, groups, or external emails to be notified. |
| Send Immediately | Optional | Toggle between real-time and batched digest delivery. |
| Active | Optional | Enable/disable without deleting the subscription. |
| High Priority | Optional | Marks notification as high-priority in email clients. |
Finished reading Module 02?
Managing Event Subscriptions
Edit, disable, audit, and maintain subscriptions over time
After go-live, subscriptions require ongoing attention. Recipients change, event scopes expand, and alert fatigue can emerge if subscriptions are not regularly reviewed.
Navigate to Admin → Event Subscriptions, locate the subscription in the grid, and click its name or the Edit pencil icon.
All fields are editable post-creation. Changes take effect immediately upon saving — there is no deployment or propagation delay. Use the Audit tab within the subscription to see who last modified it and when.
Disable (toggle Active off) when a subscription is temporarily paused — maintenance windows, change freezes, or testing. The configuration is preserved and can be re-enabled instantly.
Delete only when the subscription is permanently no longer needed. Deletion is irreversible and removes all associated configuration. Always prefer disabling when in doubt.
Recipients can be added or removed at any time. Best practice is to assign Groups rather than individual users so that off-boarding and team changes automatically update notification routing without modifying each subscription.
External email recipients (outside the Secret Server directory) are supported and useful for routing to ticketing systems (e.g. ServiceNow inbound email) or SIEM forwarders.
Every change to a subscription is logged in Secret Server's audit trail. Access it via Admin → Event Subscriptions → [Subscription Name] → Audit tab.
The audit log captures: creation date, last modified by, field-level diff of what changed, and the IP address of the modifying user. This supports SOC 2, ISO 27001, and PCI-DSS audit requirements.
Secret Server logs every notification sent. Review delivery history under Reports → Event Subscriptions or in the subscription's own Notifications tab to confirm alerts were delivered and identify failures caused by SMTP misconfiguration or bounced addresses.
High-frequency events (e.g. Secret Viewed on a shared vault) can generate hundreds of emails per day, causing recipients to ignore them. Mitigate this by:
- Enabling Batch / Digest delivery (hourly or daily).
- Applying Folder or Group filters to limit scope.
- Reserving Send Immediately only for critical security events.
- Regularly reviewing subscription hit rates in the Notifications tab and pruning or adjusting underperforming subscriptions.
Recipient Types
| Type | Use When |
|---|---|
| User (Internal) | Notifying a named individual — e.g. the secret owner or vault admin. |
| Group (Internal) | Notifying a team role (SOC, PAM Admins). Preferred: automatically inherits membership changes. |
| External Email | Routing to ticketing inboxes (ServiceNow, Jira), SIEM forwarders, or distribution lists. |
| Webhook (via Pipeline) | Delivering structured JSON payloads to Slack, Teams, PagerDuty, or custom APIs. Requires Event Pipeline configuration. |
Quarterly Maintenance Checklist
Click each item to mark it complete.
- Review all active subscriptions — confirm they are still needed.
- Verify recipient lists reflect current team membership.
- Check notification delivery success rate in the Notifications tab.
- Remove or merge duplicate subscriptions covering the same scope.
- Confirm batch schedules align with incident-response SLAs.
- Audit who has Administer Event Subscriptions permission — limit to PAM admins.
Finished reading Module 03?
Use Cases & Leverage
Real-world scenarios that deliver security and compliance value
Event Subscriptions unlock tangible value only when mapped to real operational and compliance needs. Below are the most impactful patterns.
Privilege Escalation Detection
Subscribe to Role Assignment Changed and User Added to Group events. Alert the Security team whenever elevated roles are granted — catching both authorised changes and insider threats.
After-Hours Access Alerts
Use the Group filter to scope Secret Viewed and Session Launch events to privileged accounts, and alert on any activity outside business hours using scheduled reports combined with subscriptions.
Heartbeat Failure Monitoring
Subscribe to Heartbeat Failure events scoped to production credential folders. Immediate alerts let the vault team investigate misconfigured RPC before an outage occurs.
Check-Out Monitoring
Alert on Secret Checked Out and Check-In Overdue for high-value secrets (domain admin, root, break-glass). Ensures oversight of every privileged session against a shared account.
SOX — Change Evidence
Subscribe to Secret Field Changed on financial system credentials. Email notifications serve as immutable evidence of who changed what and when — directly satisfying SOX IT general controls.
PCI-DSS — Access Alerts
PCI DSS Req. 10 requires alerting on privileged access to cardholder data systems. A subscription scoped to the CDE folder with Secret Viewed and Session Launch events satisfies this directly.
HIPAA — PHI System Access
Alert on any access to credentials for EHR or PHI-adjacent systems. Combine with folder-level access reviews to demonstrate minimum-necessary access controls.
Password Expiry Reminders
Subscribe to Secret Expiration events 30/7/1 days before expiry. Automate credential rotation reminders, reducing compliance gaps caused by expired passwords on non-RPC accounts.
RPC Failure Alerting
Subscribe to Password Change Failed events. Ops teams can immediately investigate and remediate failed automated rotations before manual password use becomes necessary.
Secret Lifecycle Events
Alert on Secret Created and Secret Deleted in critical folders. Helps vault admins track vault growth and identify ungoverned secrets being added outside change control.
Access Request Notifications
Subscribe to Access Request Submitted to ensure approvers are promptly notified. Reduces approval SLA breaches and removes the need for manual follow-up chasing.
Discovery Notifications
Alert on Discovery Scan Completed and Unmanaged Account Found. Provides ops teams a prompt to onboard newly discovered privileged accounts before they drift outside PAM governance.
Feeding Secret Server event data into a SIEM or SOAR platform gives the SOC real-time PAM telemetry for correlation and investigation.
Finished reading Module 04?
Advanced Configuration
Email templates, REST API management, and Event Pipeline integration
Customising Notification Email Templates
Secret Server ships with default notification templates. You can override them per subscription or globally via Admin → Configuration → Email. Templates use Razor-style tokens.
Managing Subscriptions via REST API
Secret Server exposes a full REST API for Event Subscriptions — useful for Infrastructure-as-Code (IaC) provisioning, automated audits, and CI/CD pipeline integration.
Event Subscriptions vs. Event Pipelines
| Capability | Event Subscription | Event Pipeline |
|---|---|---|
| Purpose | Notify people | Automate actions |
| Email Notification | ✓ Native | ✓ Via Task |
| Webhook / Slack | ✗ Not supported | ✓ Native |
| Trigger Password Change | ✗ | ✓ |
| Create Ticket (ITSM) | ✗ | ✓ |
| Complexity | Low | Medium–High |
| License Requirement | All editions | Platinum / above |
Finished reading Module 05?
Knowledge Check
Test your understanding before signing off this module
Finished the Knowledge Check?