You can skip over Add a Fleet Server step 2 in the UI view as you will be using a container instead of the options shown there. After a short delay, you should notice a Fleet Server policy created. In the Add a Fleet Server dialog, specify the Elasticsearch container IP address for the Fleet Server host value. You will use a Fleet server to manage the Elastic Agent, so in the Add agent dialog, click Add Fleet Server. You are now on the HashiCorp Vault integration page.Ĭlick Add HashiCorp Vault to add the integration.Ĭonfigure Vault Elasticsearch integrationĬlick Logs from file to switch off gathering audit device information from a file as you will be using the network socket with Elasticsearch and manually inspecting the file audit device for this scenario.Ĭlick Logs from TCP socket to switch the setting on.Įnter 0.0.0.0 into the Listen Address text input to listen on all interfaces so that the Elastic Agent container can later connect to the integration.Īs this tutorial is focused on audit device logs, click Metrics to switch off the gathering of telemetry metrics from Vault.Įnter agent-policy-vault into the New agent policy name text input.Īfter a moment, a HashiCorp Vault integration added dialog appears where you can configure the Elastic Agent. Use the search text input and begin to enter HashiCorp into it you should notice that the HashiCorp Vault integration appears. You are greeted by a Welcome to Elastic dialog. When the configuration is finished, you are presented with a Welcome to Elastic dialog where you can authenticate.Įnter elastic in the Username text input field.Įnter 2learnVault into the Password text input field. Paste your Kibana Enrollment Token value into the Enrollment token text field and click Configure Elastic.Ī series of configuration steps are automatically completed. Open the URL, where you are greeted by the Configure Elastic to get started dialog. This URL is dynamically generated, so you need to use your actual URL value that you captured earlier, not the example value. Internet access from the host computer.A web browser for accessing the Kibana UI.Learn lab Terraform configuration repository.jq binary installed in your system PATH for querying the file audit device log.Git binary installed in your system PATH.This scenario requires at least 4GB of memory allocated to Docker.Terraform CLI version 1.2.0 or newer binary installed in your system PATH.Vault binary installed in your system PATH.Once the environment is established, you will then deploy some configuration to Vault with the Terraform Vault Provider that simulates common incidents in the audit device logs.įinally, you will use a combination of the Kibana UI and Kibana Query Language (KQL) queries or terminal session with jq to identify the incidents in the audit device logs. A file-based audit device for terminal session use.A socket-based audit device that sends audit device logs to the Elastic Agent for consumption by Elasticsearch.You will then deploy and configure a Vault development mode server container with 2 audit devices: You will deploy and configure Elasticsearch, Kibana, and Elastic Agent containers, and use the Elasticsearch web UI for some configuration steps. You will use a terminal and command line interfaces for Vault and Terraform along with the Terraform Docker and Vault Providers to complete this scenario. The scenario in this tutorial will use these technologies as a reference to help inform you of what is possible. This solution provides timely information for incident response workflows.Įlasticsearch with Kibana and the Elastic Agent are an example of available open source solutions for aggregating and searching Vault audit device logs. You can use Vault Audit Devices, and send logs from them to a Security Information and Event Management (SIEM) tool for aggregation, inspection, and alerting capabilities. Synthesizing information around these types of incidents and appropriately responding them within a tight timeline is of utmost importance to reduce production impact. As a Vault operator or security practitioner, you need to respond to common incidents which can arise in the operation of a Vault cluster.Ĭritical Vault-specific incident types can include, but are not limited to the following:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |