Skip to content

Cleartext Exposed Secrets Use-Cases

Industry-leading exposed secrets detections across the entire organization. Reveal clear-text secrets exposed in cloud providers configurations, code-repositories, CICD output logs, collaboration platforms, and messaging apps.

Description

Compared to regular human-owned username and passwords, secrets & tokens lack additional security observability (continued monitoring), restrictions (conditional access, IP lock) and enforcements (MFA). This will make them the number one targets for credentials harvesting during a potential breach. SailPoint Entro reveals all clear-text secrets scattered on your organization and prioritizes which should be eliminated.

Validity

Each detected secret also includes validation status, to determine whether it can be leveraged to gain additional access to your organization’s resources.

  • Enabled The token has been confirmed by SailPoint Entro as enabled and is publicly accessible. This makes it potentially vulnerable to exploitation by unauthorized actors.

  • Disabled The token is confirmed to be disabled or deactivated. This state prevents it from being exploited for unauthorized access. Regularly review the status of the token to ensure it remains disabled.

  • Invalid This token is not usable and cannot be exploited for unauthorized access. The invalidity could be due to incorrect formatting, expiration, revocation, or access restriction.

  • Revoked This secret has transitioned from enabled to invalid. It is now invalid and cannot be used for authorization.

  • Unsupported Validity check not supported by cloud provider.

  • Unreachable Due to network restrictions (on-prem server, firewall), the secret cannot be validated.

When an enabled secret is observed, entro will also include some enrichment data for it in the “Validity” tab.

Context

When an exposed secret is also correlated with one of your organization's NHI Tokens, SailPoint Entro will include additional context and enrichment for the exposed secret, such as:

  • Target account

  • Environment labeling

  • Permissioning

  • Usage

  • Rotation

  • Owners

Risks triggers

Risks associated with exposed secrets will only open if the exposed secret is not invalid, revoked or disabled. It’s also possible to restrict risks to open only if the exposed secret is enabled. Any risk of exposed secret transitioning from enabled to revoked/invalid/disabled will be automatically resolved.

Exposed secrets samples

Eventually, secrets are a collection of strings that grants access to services. These are some of the secret types you should expect seeing in SailPoint Entro.

  • Figma PAT

    figd_0w5OuMpZZjmdoaAuik-2VjuxkUqK3RnH9iEgU0Il
    
  • GitHub Fine-grained PAT

    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
    
  • Heroku

    0483ca13-868b-4c04-8a50-65a21a2750d3
    
  • DataDog Api-Key

    a6568b9e9265579b18761c104bb7debb
    
  • Slack token

    xoxe-1-My0xLTY2MdpxMzc2NjQ3NzUtNjUwOTIyNDkzMDY3OS02NTIwOPUwNjIzMTg5LTY0MDkzMDM3ZmQwOGY1ZmM4MmVjZmQ3NzgyNTc5ZjIwM2YwYWEwYTIwYjhlOTU1NzJlZmQyMDUxNTYwNjJkODg
    
  • Azure app registration client secret

    secret_id = 3e0b7399-4505-497a-88a6-321fe144f2fa
    secret = yKN8Q~mwWt36vMHX1XXX-AHWezJYdXBy5Q0GBcHr
    
  • GCP Service account private key

    (see image)
    
  • AWS Access Key

    Key ID = AKIA5YMFHFAIDIE7XS7M
    Secret = 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
    
  • Atlassian Cloud Token

    organization_id = 92d88aa0-a823-1799-6j29-58b9304c2d5a
    API_key = ATCTT3xFfGN0P5uAdcHtRTfAuRyJA2AQAT0nOVZlsdwOazOFFYwgyDehoK8vaV6_0IWcQxHckd01429rhMy8GXIWII3QuGpCS_9o5yJ41EHJqF-t8rUp5pIzNd2WrVuxzRWMCR60Mc3Flddy6a2H8HEX4C4sd1yWv1fizCzNyHX94XVlJUtMoVI=19AF0259
    
  • Gitlab

    glpat-mxNffxHGVKbZKkxJP2ZZ