What does this pack do?
In addition to the HasiCorp Vault Integration for managing secrets and credentials on HashiCorp Vault, this pack includes Cortex Data Modeling (XDM) Rules and Parsing Rules for ingesting and normalizing HashiCorp Vault Audit Logs.
Configuration
Follow the steps below to configure ingestion of Hashicorp Vault audit logs into Cortex XSIAM.
Configuration on HashiCorp Vault
Run the audit enable command from the Vault server CLI for enabling a File audit device to write JSON audit log records to a file. For example:
$ vault audit enable file file_path=/var/log/vault_audit.logSee also:
Configuration on Cortex XSIAM
- Install the HashiCorp Vault content pack from Cortex XSIAM Marketplace.
- Configure an XDR Collector:
- Create an XDR Collector installation package as described here.
- Install the XDR Collector created installation package on the HashiCorp Vault server:
- For a Windows server see Install the XDR Collector installation package for Windows.
- For a Linux server see Install the XDR Collector installation package for Linux.
- Configure an XDR Collector Filebeat profile:
- For a Windows server see Add an XDR Collector profile for Windows.
- For a Linux server see Add an XDR Collector profile for Linux.
- When configuring the Filebeat YAML Configuration File, use the HashiCorp Vault template as a reference:
- Customize the paths parameter in accordance to the path configured for the enabled File audit device on the HashiCorp Vault server:
```yaml
filebeat.inputs:
- type: filestream
enabled: true
id: hashicorp-vault
paths:
- /var/log/vault_audit.log # customize path as needed
processors: - add_fields:
fields:
vendor: hashicorp
product: vault
```
- /var/log/vault_audit.log # customize path as needed
- type: filestream
enabled: true
id: hashicorp-vault
paths:
- Apply the configured Filebeat profile to the target HashiCorp Vault server by attaching it to a policy as described on Apply profiles to collection machine policies.
- After the Cortex XSIAM Collector starts ingesting logs from the configured path on the HashiCorp Vault server, you could query the collected audit logs under the
hashicorp_vault_rawdataset.- Sample XQL query over the normalized XDM schema:
datamodel dataset = hashicorp_vault_raw | fields hashicorp_vault_raw._raw_log, _time, xdm.event.id, xdm.event.type, xdm.event.original_event_type, xdm.event.operation_sub_type, xdm.event.outcome, xdm.event.outcome_reason, xdm.source.ipv4, xdm.source.host.ipv4_public_addresses, xdm.source.port, xdm.auth.auth_method, xdm.source.user.identifier, xdm.source.user.groups, xdm.target.resource.id, xdm.target.resource.name, xdm.target.resource.type, xdm.target.resource.sub_type, xdm.target.user.identifier, xdm.target.user.username, xdm.network.rule, xdm.network.session_id, xdm.observer.version
