<  Back to rules search

Vault Token Created with Excessive TTL

vault

Classification:

attack

Tactic:

Set up the vault integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a vault token is created with an excessive time-to-live (TTL) which can be indicative of an adversary maintaining persistence.

Strategy

Monitoring of vault audit logs where tokens are created with a time-to-live greater than 90000 seconds (25 hours). If the TTL requires modification, clone this rule and update @auth.token_ttl:>90000 in the query.

Triage & Response

  1. Verify max TTL for tokens in the appropriate Vault configuration.
  2. If the max TTL is higher than required, modify the max TTL.
  3. Verify with the token creator to confirm that the high TTL token is legitimate.
  4. Revoke the token if it does not have a legitimate use case.