Vault Root Token Used

Set up the vault integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a vault root token is used. Root tokens can perform any activity and have the highest level of privileges in Vault and should only be used in emergencies.

Strategy

This rule lets you monitor Vault Audit Logs (source:vault) to detect when root is seen in either of these two attributes.

auth policy (@auth.policies)
auth display name (@auth.display_name)

This rule also lets you monitor the API endpoint /sys/generate-root which is used to create new root keys.

Triage & Response

Determine who created the root token and when. You can get token creation time using the token accessor with vault token lookup -accessor <accessor>.
Inspect the requests made with the root token and ensure that its usage is valid.
Ensure that after the root token is no longer needed, it is revoked (vault token revoke -accessor <token>).