Last active
January 31, 2020 14:21
-
-
Save martezr/d5ce0902031c8f7f255d01a0a9b922d2 to your computer and use it in GitHub Desktop.
Vault Root Login Notifications
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"auth": { | |
"accessor": "hmac-sha256:67869871d870282745682c729d86cee81acb5346c3dbecb573b7d44ea5506d06", | |
"client_token": "hmac-sha256:8fe52f85c93aad7df87c7203f864a9900d25451a1cc88c486ae0c951bd3a8936", | |
"display_name": "root", | |
"policies": [ | |
"root" | |
], | |
"token_policies": [ | |
"root" | |
], | |
"token_type": "service" | |
}, | |
"request": { | |
"client_token": "hmac-sha256:8fe52f85c93aad7df87c7203f864a9900d25451a1cc88c486ae0c951bd3a8936", | |
"client_token_accessor": "hmac-sha256:67869871d870282745682c729d86cee81acb5346c3dbecb573b7d44ea5506d06", | |
"id": "3ab2651a-899b-0a98-c626-73c405d89d02", | |
"namespace": { | |
"id": "root" | |
}, | |
"operation": "read", | |
"path": "auth/token/lookup-self", | |
"remote_address": "10.0.0.70" | |
}, | |
"response": { | |
"data": { | |
"accessor": "hmac-sha256:67869871d870282745682c729d86cee81acb5346c3dbecb573b7d44ea5506d06", | |
"creation_time": 1576768685, | |
"creation_ttl": 0, | |
"display_name": "hmac-sha256:6b89bf27681e54af63afe4a0b936bbf618f8d9b17bcc68df8c11470f7328d745", | |
"entity_id": "hmac-sha256:de212e047ea6043f736d83549f3dae8612c688af0d5a6b4d19a262473c5b8bea", | |
"expire_time": null, | |
"explicit_max_ttl": 0, | |
"id": "hmac-sha256:8fe52f85c93aad7df87c7203f864a9900d25451a1cc88c486ae0c951bd3a8936", | |
"meta": null, | |
"num_uses": 0, | |
"orphan": true, | |
"path": "hmac-sha256:20039952cb073210bc9cb0fa1dc3dec3e49bcd8a72b5dd2a9f9ce415010c91a0", | |
"policies": [ | |
"hmac-sha256:6b89bf27681e54af63afe4a0b936bbf618f8d9b17bcc68df8c11470f7328d745" | |
], | |
"ttl": 0, | |
"type": "hmac-sha256:05148f41a98c981f657d9a0cb0b647e1f32a764719da2e75f27a497485eb9b7a" | |
} | |
}, | |
"time": "2020-01-31T13:14:37.132982729Z", | |
"type": "response" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: "vault_root_login" | |
pack: "default" | |
description: "Vault root login notification" | |
enabled: true | |
trigger: | |
type: "core.st2.webhook" | |
parameters: | |
url: "splunk" | |
criteria: | |
trigger.body.result.search_name: | |
type: "equals" | |
pattern: "Vault Root Login" | |
action: | |
ref: "chatops.post_message" | |
parameters: | |
channel: "general" | |
message: "Vault Root Login" | |
extra: "{ | |
"color": "#293E40", | |
"slack": { | |
"attachments": [ | |
{ | |
"title": "Vault Root Login Detected", | |
"color": "#293E40", | |
"fields": [ | |
{ | |
"short": true, | |
"value": "A root login to the production vault cluster has been detected from {{trigger['body']['result']['request.remote_address']}}", | |
"title": "Description" | |
} | |
], | |
"author_link": "https://dev79681.service-now.com", | |
"author_name": "Production Vault", | |
"title_link": "http://10.0.0.206:8200", | |
"image_url": "https://s3.amazonaws.com/hashicorp-marketing-web-assets/brand/Vault_PrimaryLogo_FullColor.HkwAATB6e.svg", | |
"pretext": "<!here>", | |
"author_icon": "http://10.0.0.206:8200/ui/favicon-c02e22ca67f83a0fb6f2fd265074910a.png" | |
} | |
] | |
} | |
}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
auth.display_name="root" type="response" request.path="auth/token/lookup-self" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
st2 apikey create -k -m '{"used_by": "Splunk Webhook"}' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment