vault_audit_tools/commands/
mod.rs

1//! Command implementations for analyzing Vault audit logs.
2//!
3//! Each module in this package implements a specific analysis command,
4//! providing specialized insights into different aspects of Vault usage.
5//!
6//! ## Command Categories
7//!
8//! ### Entity Analysis Commands
9//!
10//! Track and analyze Vault identity entities across time:
11//!
12//! - [`entity_analysis`] - Unified entity lifecycle analysis, creation tracking, and preprocessing
13//!   - `entity-analysis churn` - Compare entity activity across multiple days to detect churn
14//!   - `entity-analysis creation` - Identify when entities first appear in logs
15//!   - `entity-analysis gaps` - Find gaps in entity activity patterns
16//!   - `entity-analysis timeline` - Visualize entity activity over time
17//!   - `entity-analysis preprocess` - Extract entity data for external processing
18//! - [`entity_list`] - List all entities found in audit logs
19//! - [`entity_creation`] - ⚠️ DEPRECATED: Use `entity-analysis creation` instead
20//! - [`entity_churn`] - ⚠️ DEPRECATED: Use `entity-analysis churn` instead
21//! - [`entity_gaps`] - ⚠️ DEPRECATED: Use `entity-analysis gaps` instead
22//! - [`entity_timeline`] - ⚠️ DEPRECATED: Use `entity-analysis timeline` instead
23//! - [`preprocess_entities`] - ⚠️ DEPRECATED: Use `entity-analysis preprocess` instead
24//!
25//! ### Token Analysis Commands
26//!
27//! Analyze token lifecycle and usage patterns:
28//!
29//! - [`token_analysis`] - Unified token operations, abuse detection, and export
30//! - [`token_operations`] - ⚠️ DEPRECATED: Use `token-analysis` instead
31//! - [`token_lookup_abuse`] - ⚠️ DEPRECATED: Use `token-analysis --abuse-threshold` instead
32//! - [`token_export`] - ⚠️ DEPRECATED: Use `token-analysis --export` instead
33//!
34//! ### KV Secrets Analysis Commands
35//!
36//! Understand KV secrets engine usage:
37//!
38//! - [`kv_analysis`] - Unified KV secrets analysis - usage, comparison, and summarization
39//!   - `kv-analysis analyze` - Analyze KV secret access patterns and frequency
40//!   - `kv-analysis compare` - Compare KV usage across different time periods
41//!   - `kv-analysis summary` - Summarize KV usage by mount point
42//! - [`kv_analyzer`] - ⚠️ DEPRECATED: Use `kv-analysis analyze` instead
43//! - [`kv_summary`] - ⚠️ DEPRECATED: Use `kv-analysis summary` instead
44//! - [`kv_compare`] - ⚠️ DEPRECATED: Use `kv-analysis compare` instead
45//!
46//! ### Authentication Analysis Commands
47//!
48//! Analyze authentication patterns:
49//!
50//! - [`k8s_auth`] - Analyze Kubernetes authentication patterns and service accounts
51//!
52//! ### Mount Enumeration Commands
53//!
54//! List and enumerate Vault mounts:
55//!
56//! - [`kv_mounts`] - Enumerate all KV v2 secret mounts
57//! - [`auth_mounts`] - Enumerate all authentication mounts
58//!
59//! ### System Analysis Commands
60//!
61//! High-level system insights:
62//!
63//! - [`system_overview`] - Generate high-level statistics about audit logs
64//! - [`path_hotspots`] - Identify most frequently accessed paths
65//! - [`client_activity`] - Analyze client access patterns
66//! - [`client_traffic_analysis`] - Comprehensive client traffic pattern analysis
67//! - [`airflow_polling`] - Detect Airflow polling behavior patterns
68
69pub mod airflow_polling;
70pub mod auth_mounts;
71pub mod client_activity;
72pub mod client_traffic_analysis;
73pub mod entity_analysis;
74pub mod entity_churn;
75pub mod entity_creation;
76pub mod entity_gaps;
77pub mod entity_list;
78pub mod entity_timeline;
79pub mod k8s_auth;
80pub mod kv_analysis;
81pub mod kv_analyzer;
82pub mod kv_compare;
83pub mod kv_mounts;
84pub mod kv_summary;
85pub mod path_hotspots;
86pub mod preprocess_entities;
87pub mod system_overview;
88pub mod token_analysis;
89pub mod token_export;
90pub mod token_lookup_abuse;
91pub mod token_operations;