Skip to content

Idle Identity Fetched a Secret

Eco-system support

  • AWS Secrets Manager

  • Azure Key Vault

  • GCP Secrets Manager

Description

When a user that has been inactive for a period of time becomes active again, it could potentially pose a security threat to your organization, especially if his first actions are to fetch secrets. It's important to be aware of this and take the necessary precautions to ensure that user activity is legitimate.

Detection triggers

  • Identity was idle for more than 30 days

  • One of the first actions of the idle identity is to retrieve a secret from a vault

Mitigation

Review abnormal activity

Idle identities fetching secrets isn't common. Try to look for potential justifications for this activity, such as older secret related events by this actor.