Skip to main content

HashiCorp Vault

Download With Dependencies

Manage Secrets and Protect Sensitive Data through HashiCorp Vault. Ingest and normalize Vault Audit logs.

Pack Contributors:

  • Paul-Adrian Dragoi

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

What does this pack do?

In addition to the HasiCorp Vault Integration for managing secrets and credentials on HashiCorp Vault, this pack includes Cortex Data Modeling (XDM) Rules and Parsing Rules for ingesting and normalizing HashiCorp Vault Audit Logs.

Configuration

Follow the steps below to configure ingestion of Hashicorp Vault audit logs into Cortex XSIAM.

Configuration on HashiCorp Vault

Run the audit enable command from the Vault server CLI for enabling a File audit device to write JSON audit log records to a file. For example:

vault audit enable file file_path=/var/log/vault_audit.log

See also:

Configuration on Cortex XSIAM

  1. Install the HashiCorp Vault content pack from Cortex XSIAM Marketplace.

  2. Configure an XDR Collector:

    1. Create an XDR Collector installation package as described here.

    2. Install the XDR Collector created installation package on the HashiCorp Vault server:

    3. Configure an XDR Collector Filebeat profile:

          filebeat.inputs:
    - type: filestream
      enabled: true
      id: hashicorp-vault
      paths:       
        - /var/log/vault_audit.log    # customize path as needed 
      processors: 
        - add_fields:       
            fields:             
              vendor: hashicorp
              product: vault

    4. Apply the configured Filebeat profile to the target HashiCorp Vault server by attaching it to a policy as described on Apply profiles to collection machine policies.

  3. After the Cortex XSIAM Collector starts ingesting logs from the configured path on the HashiCorp Vault server, you could query the collected audit logs under the hashicorp_vault_raw dataset.

   datamodel dataset = hashicorp_vault_raw | fields hashicorp_vault_raw._raw_log, _time, xdm.event.id, xdm.event.type, xdm.event.original_event_type, xdm.event.operation_sub_type, xdm.event.outcome, xdm.event.outcome_reason, xdm.source.ipv4, xdm.source.host.ipv4_public_addresses, xdm.source.port, xdm.auth.auth_method, xdm.source.user.identifier, xdm.source.user.groups, xdm.target.resource.id, xdm.target.resource.name, xdm.target.resource.type, xdm.target.resource.sub_type, xdm.target.user.identifier, xdm.target.user.username, xdm.network.rule, xdm.network.session_id, xdm.observer.version

Pack Contributors:

  • Paul-Adrian Dragoi

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedNovember 9, 2020
Last ReleaseOctober 20, 2025
WORKS WITH THE FOLLOWING INTEGRATIONS:
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.