Hashicorp Vault¶
About¶
Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
Product Details¶
Vendor URL: Hashicorp Vault
Product Type: SaaS
Product Tier: Tier III
Integration Method: Cloud Storage for Hashicorp hosted or syslog for self-hosted solution.
Integration URL: Audit Log Management (Hashicorp Hosted)
Integration URL: Socket Audit Device (Self-hosted)
Log Guide: Audit and Operational Log Details
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90-100%
Data Label: HASHICORP
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
auth.auth_token | principal.user.account_type |
auth.client_token | extensions.auth.auth_details |
auth.display_name | principal.user.user_display_name |
auth.entity_id | principal.user.product_object_id |
auth.metadata.role_name | principal.user.attribute.roles |
auth.metadata.username | principal.user.userid |
auth.policies | target.asset.attribute.labels(policy) |
error | security_result.action_details |
request.id | metadata.product_log_id |
request.mount_type | target.asset.attribute.labels(mount_type) |
request.namespace.id | target.asset.attribute.label(namespace_id) |
request.operation | metadata.description |
request.path | target.file.full_path |
request.remote_address | principal.ip |
request.remote_port | principal.port |
response.mount_type | target.asset.attribute.labels(mount_type) |
type | metadata.product_event_type |
Product Event Types¶
Event | UDM Event Classification |
---|---|
Read | RESOURCE_READ |
Others | STATUS_UPDATE |
Log Sample¶
development{"time":"2022-01-05T14:26:16.686345945Z","type":"response","auth":{"client_token":"hmac-sha256:efb7931295e489ae6ae8982922b9eb1b10fd607fb5e49e348214079457831f26","accessor":"hmac-sha256:eb30520cd7fca1d8b27c85c30371863e0de81cc2cc4b8491233744ebd7d2d179","display_name":"approle","policies":["default","pkx-xxx-admin"],"token_policies":["default","pkx-xxx-admin"],"metadata":{"role_name":"pkx-xxx-admin"},"entity_id":"7d47c940-9309-3ebf-823c-751171664840","token_type":"service","token_ttl":1200},"request":{"id":"701547b8-93c9-b0a8-14ff-b86068374d2d","operation":"update","mount_type":"approle","namespace":{"id":"root"},"path":"auth/approle/login","data":{"role_id":"hmac-sha256:ef52cda858438ac1196ced59b1e7a3641418b1b529d95acc5a9cf07219f03e42","secret_id":"hmac-sha256:7607da157b61e27ce8df77fbca24299b63ea8d4a106f83ce1bab409e6af0e1e4"},"remote_address":"10.1.1.18"},"response":{"auth":{"client_token":"hmac-sha256:efb7931295e489ae6ae8982922b9eb1b10fd607fb5e49e348214079457831f26","accessor":"hmac-sha256:eb30520cd7fca1d8b27c85c30371863e0de81cc2cc4b8491233744ebd7d2d179","display_name":"approle","policies":["default","pkx-xxx-admin"],"token_policies":["default","pkx-xxx-admin"],"metadata":{"role_name":"pkx-xxx-admin"},"entity_id":"7d47c940-9309-3ebf-823c-751171664840","token_type":"service","token_ttl":1200},"mount_type":"approle"}}
Sample Parsing¶
metadata.product_log_id: pxx-xx-admin
metadata.event_timestamp: 2022-01-19 19:42:17
metadata.event_type: GENERIC_EVENT
metadata.product_event_type: response
metadata.product_deployment_id: update
metadata.description: approle
metadata.principal.ip: 10.1.1.18
metadata.principal.resource.type: development
metadata.src.asset.product_object_id: 701547b8-93c9-b0a8-14ff-b86068374d2d
metadata.target.file.full_path: auth/approle/login
metadata.extensions.auth.auth_details: approle
Parser Alerting¶
This product currently does not have any Parser-based Alerting