Module commands 

Command implementations for analyzing Vault audit logs.

Each module in this package implements a specific analysis command, providing specialized insights into different aspects of Vault usage.

Command Categories

Entity Analysis Commands

Track and analyze Vault identity entities across time:

• entity_creation - Identify when entities first appear in logs
• entity_churn - Compare entity activity across multiple days to detect churn
• entity_gaps - Find gaps in entity activity patterns
• entity_timeline - Visualize entity activity over time
• entity_list - List all entities found in audit logs
• preprocess_entities - Extract entity data for external processing

Token Analysis Commands

Analyze token lifecycle and usage patterns:

• token_operations - Track token creation, renewal, and revocation
• token_lookup_abuse - Detect suspicious token lookup patterns
• token_export - Export token metadata for analysis

KV Secrets Analysis Commands

Understand KV secrets engine usage:

• kv_analyzer - Analyze KV secret access patterns and frequency
• kv_summary - Summarize KV usage by mount point
• kv_compare - Compare KV usage across different time periods

Authentication Analysis Commands

Analyze authentication patterns:

• k8s_auth - Analyze Kubernetes authentication patterns and service accounts

System Analysis Commands

High-level system insights:

• system_overview - Generate high-level statistics about audit logs
• path_hotspots - Identify most frequently accessed paths
• client_activity - Analyze client access patterns
• airflow_polling - Detect Airflow polling behavior patterns

Modules

airflow_polling

Airflow polling pattern detection.

client_activity

Client activity metrics from Vault API.

entity_churn

Multi-day entity churn analysis with intelligent ephemeral pattern detection.

entity_creation

Entity creation analysis command.

entity_gaps

Entity gaps analysis command.

entity_list

Entity list export command.

entity_timeline

Entity timeline visualization command.

k8s_auth

Kubernetes authentication analysis command.

kv_analyzer

KV secrets engine usage analyzer.

kv_compare

KV usage comparison across time periods.

kv_summary

KV usage summary from CSV exports.

path_hotspots

Path hotspot analysis command.

preprocess_entities

Entity mapping preprocessor.

system_overview

System-wide audit log overview.

token_export

Token lookup pattern exporter.

token_lookup_abuse

Token lookup abuse detection.

token_operations

Token lifecycle operations analysis.