Expand description
Token lookup abuse detection.
⚠️ DEPRECATED: Use token-analysis --abuse-threshold instead.
This command has been consolidated into the unified token-analysis command.
Use the --abuse-threshold flag for abuse detection.
# Old command (deprecated)
vault-audit token-lookup-abuse audit.log --threshold 500
# New command (recommended)
vault-audit token-analysis audit.log --abuse-threshold 500See token_analysis module for full documentation.
Identifies entities performing excessive token lookup operations, which can indicate misconfigured applications or potential security issues. Supports multi-file analysis (compressed or uncompressed) for pattern detection over time.
§Usage
# Single file with default threshold (100 lookups per entity)
vault-audit token-lookup-abuse audit.log
vault-audit token-lookup-abuse audit.log.gz
# Multi-day analysis with custom threshold (compressed files)
vault-audit token-lookup-abuse logs/*.log.gz --threshold 500Compressed File Support: Analyzes .gz and .zst files directly.
§Output
Displays entities exceeding the lookup threshold with:
- Entity ID and display name
- Total lookup operations
- Time range (first seen to last seen)
- Rate (lookups per hour)
Helps identify:
- Applications polling tokens too frequently
- Misconfigured token renewal logic
- Potential reconnaissance activity