Module entity_analysis

vault_audit_tools::commands

Module entity_analysis 

Source
Expand description

Unified entity analysis command.

Consolidates entity lifecycle tracking, creation analysis, preprocessing, gap detection, and timeline analysis into a single powerful command with intelligent auto-preprocessing to eliminate multi-step workflows.

§Usage

# Churn analysis (auto-preprocesses entity mappings)
vault-audit entity-analysis churn logs/day1.log logs/day2.log
vault-audit entity-analysis churn logs/*.log --baseline entities.json

# Creation analysis by auth path
vault-audit entity-analysis creation logs/*.log
vault-audit entity-analysis creation logs/*.log --export creation_data.json

# Extract entity mappings (preprocessing)
vault-audit entity-analysis preprocess logs/*.log --output mappings.json
vault-audit entity-analysis preprocess logs/*.log --format csv

# Detect activity gaps for entities
vault-audit entity-analysis gaps logs/*.log --window-seconds 300

# Individual entity timeline
vault-audit entity-analysis timeline logs/*.log --entity-id abc-123

Key Improvement: Auto-preprocessing eliminates the need for separate preprocessing steps. Entity mappings are built in-memory automatically when needed by churn or creation analysis.

§Subcommands

§churn

Multi-day entity lifecycle tracking with ephemeral pattern detection. Automatically preprocesses entity mappings unless --no-auto-preprocess is specified.

§creation

Analyzes when entities were first created, grouped by authentication path. Shows new entity onboarding patterns and growth trends.

§preprocess

Extracts entity-to-display-name mappings from audit logs for external use. Outputs JSON or CSV format for integration with other tools.

§gaps

Detects entities with suspicious activity gaps (potential compromised credentials or entities that should have been cleaned up).

§timeline

Shows chronological activity for a specific entity ID, useful for debugging or investigating specific identity issues.

Functions§

run_churn
Run churn analysis subcommand
run_creation
Run creation analysis subcommand
run_gaps
Run gaps detection subcommand
run_preprocess
Run preprocess subcommand
run_timeline
Run timeline subcommand