Skip to content

Vault Dump

Eco-system support

  • AWS Secrets Manager

  • Azure Key Vault

  • GCP Secrets Manager

Description

A single identity revealing all the secrets in your secret vault could be a sign of possible malicious activity and pose a serious threat to your business. It's crucial to investigate and determine the legitimacy of this action.

Detection Triggers

  • Single identity fetching an entire vault, in a range of 7 days maximum.

  • This rule will only trigger if the vault contains at least 3 secrets.

Mitigation

Review abnormal activity

Fetching all the secrets from a single vault is considered an anomaly. There’s usually no legitimate explanation to justify this activity other than malicious intentions, or backing up during a potential migration. Review this activity by following these steps

  1. Review the “activity” tab to check for the following behavior.

    • if the activity is re-occurring.

    • Is the workload IP and client identical to its previous usage

  2. Investigate the actor identity responsible for the activity to understand if it’s legitimate and expected.

    • If legitimate, move this risk status to 'approved'.

    • Otherwise, consider rotating all secrets and investigating the actors.