Expand description
Token lookup abuse detection.
Identifies entities performing excessive token lookup operations, which can indicate misconfigured applications or potential security issues. Supports multi-file analysis for pattern detection over time.
§Usage
# Single file with default threshold (100 lookups per entity)
vault-audit token-lookup-abuse audit.log
# Multi-day analysis with custom threshold
vault-audit token-lookup-abuse logs/*.log --threshold 500§Output
Displays entities exceeding the lookup threshold with:
- Entity ID and display name
- Total lookup operations
- Time range (first seen to last seen)
- Rate (lookups per hour)
Helps identify:
- Applications polling tokens too frequently
- Misconfigured token renewal logic
- Potential reconnaissance activity