Vault Dump
Eco-system support
-
AWS Secrets Manager
-
Azure Key Vault
-
GCP Secrets Manager
Description
A single identity revealing all the secrets in your secret vault could be a sign of possible malicious activity and pose a serious threat to your business. It's crucial to investigate and determine the legitimacy of this action.
Detection Triggers
-
Single identity fetching an entire vault, in a range of 7 days maximum.
-
This rule will only trigger if the vault contains at least 3 secrets.
Mitigation
Review abnormal activity
Fetching all the secrets from a single vault is considered an anomaly. There’s usually no legitimate explanation to justify this activity other than malicious intentions, or backing up during a potential migration. Review this activity by following these steps
-
Review the “activity” tab to check for the following behavior.
-
if the activity is re-occurring.
-
Is the workload IP and client identical to its previous usage
-
-
Investigate the actor identity responsible for the activity to understand if it’s legitimate and expected.
-
If legitimate, move this risk status to 'approved'.
-
Otherwise, consider rotating all secrets and investigating the actors.
-