Supported Secrets
SailPoint Entro detects and validates cleartext secrets across integrations using pattern-based rules, AI enrichment, and generic credential heuristics. Use the tables below to browse supported secret types by detection category.
For full per-secret validation details, refer to Supported Secrets.
Pattern-based services detections
Temporary keys detections
Although temporary tokens have a short TTL and may not pose an actual risk, their exposure could reveal a flawed process in managing secrets.
Secret types:
Webhooks detections
Exposed webhooks pose a security risk if discovered by adversaries. While they may not reveal sensitive information, they can be exploited to manipulate and tamper with organizational procedures and services that rely on their data.
| Secret type | Validity |
|---|---|
| Outlook team | |
| Slack Webhook | ✅ |
| Discord Webhook URL | |
| Zapier webhook | |
| Microsoft Teams webhook | ✅ |
Generic detections (AI Enriched*)
SailPoint Entro monitors generic secrets and credentials. They only generate an incident if enriched with context from their surrounding code or content to label their target service type.
| Secret type | Explanation | Examples |
|---|---|---|
| Generic curl user and password | Observed once User & Password combination appears near a "Curl" command for authorization | curl -u myuser:mypass |
| Generic key | Observed for any text combination of the keywords: "key", "api key", "secret", "token", "auth", "pat", "access", "client" - along with a high entropy string, and AI processing for false positive elimination | my-serv-secret: dj2983cn928cyr9n82ynr9298cjuc3a |
| Generic creds | Observed for any text combination of the keywords: "pw", "pwd", "pass", "cred" - along with a delimiter, high entropy string, and AI processing for false positive elimination | SERVER_CREDENTIALS: A$@KFdj123 |
| Generics Auth B64 | Observed for decoded B64 strings for basic authorization strings | "Authorization": "Basic aW50ZXJuc2hpcDpjZGk=" |
Qualifications for Generic Detections
To capture high-fidelity secret detections only, SailPoint Entro has identified a specific characteristic to qualify only strong detections as a Generic Secret:
- High Entropy secret payload
- Placeholder text such as "dummy", "test", or "example" strings won't qualify as valid detections for a secret payload. See examples below.
- The secret string for the "Generic Key" must be at least 14 characters long and include all the following: uppercase letters, lowercase letters, and digits.
- Secret string for "Generic Creds" should be at least 5 chars long
- AI analyzed ContextIQ determines it's a true positive detection based on its context.
- Specific predefined patterns known to generate noise are excluded to reduce false positives and improve detection quality.
AI Enriched services (1000+)
SailPoint Entro automatically tags potential exposed secret services using pre-defined names. It employs GenAI, entropy-based analysis, and secret-like characteristics. So in this case, secrets from those 1000+ services can be detected and tagged regardless if it's supported by entro rules mentioned above.
Low-confidence detections
Experimental, partial, or informational detections that do not necessarily grant access to sensitive information or authorization.