Skip to content

Hashicorp Vault

HashicorpVault

About

Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.

Product Details

Vendor URL: Hashicorp Vault

Product Type: SaaS

Product Tier: Tier III

Integration Method: Cloud Storage for Hashicorp hosted or syslog for self-hosted solution.

Integration URL: Audit Log Management (Hashicorp Hosted)

Integration URL: Socket Audit Device (Self-hosted)

Log Guide: Audit and Operational Log Details

Parser Details

Log Format: JSON

Expected Normalization Rate: 90-100%

Data Label: HASHICORP

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
auth.auth_token principal.user.account_type
auth.client_token extensions.auth.auth_details
auth.display_name principal.user.user_display_name
auth.entity_id principal.user.product_object_id
auth.metadata.role_name principal.user.attribute.roles
auth.metadata.username principal.user.userid
auth.policies target.asset.attribute.labels(policy)
error security_result.action_details
request.id metadata.product_log_id
request.mount_type target.asset.attribute.labels(mount_type)
request.namespace.id target.asset.attribute.label(namespace_id)
request.operation metadata.description
request.path target.file.full_path
request.remote_address principal.ip
request.remote_port principal.port
response.mount_type target.asset.attribute.labels(mount_type)
type metadata.product_event_type

Product Event Types

Event UDM Event Classification
Read RESOURCE_READ
Others STATUS_UPDATE

Log Sample

development{"time":"2022-01-05T14:26:16.686345945Z","type":"response","auth":{"client_token":"hmac-sha256:efb7931295e489ae6ae8982922b9eb1b10fd607fb5e49e348214079457831f26","accessor":"hmac-sha256:eb30520cd7fca1d8b27c85c30371863e0de81cc2cc4b8491233744ebd7d2d179","display_name":"approle","policies":["default","pkx-xxx-admin"],"token_policies":["default","pkx-xxx-admin"],"metadata":{"role_name":"pkx-xxx-admin"},"entity_id":"7d47c940-9309-3ebf-823c-751171664840","token_type":"service","token_ttl":1200},"request":{"id":"701547b8-93c9-b0a8-14ff-b86068374d2d","operation":"update","mount_type":"approle","namespace":{"id":"root"},"path":"auth/approle/login","data":{"role_id":"hmac-sha256:ef52cda858438ac1196ced59b1e7a3641418b1b529d95acc5a9cf07219f03e42","secret_id":"hmac-sha256:7607da157b61e27ce8df77fbca24299b63ea8d4a106f83ce1bab409e6af0e1e4"},"remote_address":"10.1.1.18"},"response":{"auth":{"client_token":"hmac-sha256:efb7931295e489ae6ae8982922b9eb1b10fd607fb5e49e348214079457831f26","accessor":"hmac-sha256:eb30520cd7fca1d8b27c85c30371863e0de81cc2cc4b8491233744ebd7d2d179","display_name":"approle","policies":["default","pkx-xxx-admin"],"token_policies":["default","pkx-xxx-admin"],"metadata":{"role_name":"pkx-xxx-admin"},"entity_id":"7d47c940-9309-3ebf-823c-751171664840","token_type":"service","token_ttl":1200},"mount_type":"approle"}}

Sample Parsing

metadata.product_log_id: pxx-xx-admin
metadata.event_timestamp: 2022-01-19 19:42:17
metadata.event_type: GENERIC_EVENT
metadata.product_event_type: response
metadata.product_deployment_id: update
metadata.description: approle
metadata.principal.ip: 10.1.1.18
metadata.principal.resource.type: development
metadata.src.asset.product_object_id: 701547b8-93c9-b0a8-14ff-b86068374d2d
metadata.target.file.full_path: auth/approle/login
metadata.extensions.auth.auth_details: approle

Parser Alerting

This product currently does not have any Parser-based Alerting