Idle Identity Fetched a Secret
Description
When a user that has been inactive for a period of time becomes active again, it could potentially pose a security threat to your organization, especially if his first actions are to fetch secrets. It's important to be aware of this and take the necessary precautions to ensure that user activity is legitimate.

Detection triggers
-
Identity was idle for more than 30 days
-
One of the first actions of the idle identity is to retrieve a secret from a vault
Mitigation
Review abnormal activity
Idle identities fetching secrets isn't common. Try to look for potential justifications for this activity, such as older secret related events by this actor.
JSON Example
Risk JSON
account: {environment: "DemoStraw", environmentType: "DEMO"}
accountId: "937217712385"
accountType: "AWS"
category: "ABNORMAL_BEHAVIOR"
correlationGuid: null
creationDate: "2024-08-13T22:43:45.306Z"
customData: null
customerId: 1
data: {,…}
description: "When a user that has been inactive for a period of time becomes active again, it could potentially pose a security threat to your organization, especially if his first actions are to fetch secrets. It's important to be aware of this and take the necessary precautions to ensure that user activity is legitimate."
destination: "NOT_FOUND"
guid: "RSK-54857"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 623341
isArchived: false
key: "IDLE_ID_FETCH_SECRET-SEC-53216"
linkedElements: ["SEC-53216"]
logChangeType: null
modifyDate: "2024-08-13T22:43:45.306Z"
name: "Idle identity fetched a production secret"
occurrences: []
owner: "saas-assume-role"
ownerAiObject: null
ownerUid: null
path: "us-east-1/af3758c6-0595-4fd8-9672-80de6e625134-a9a9360a-cff1-44e8-a1b2-455db04573dc"
ruleCode: "IDLE_ID_FETCH_SECRET"
scanId: 24098807
severity: "HIGH"
source: "AWS"
status: "OPEN"
tags: ["Abnormal Behavior", "Programmatic", "App", "DemoStraw"]
tasks: [{customerId: 1, riskId: 623341, type: "REVIEW_ACTIVITY", level: "HARD",…}]
type: "BLAST"
Linked Element (Vaulted Secret) JSON
accessorsPolicies: {}
account: {environment: "DemoStraw", environmentType: "DEMO", accountType: "AWS", id: "937217712385"}
accountId: "937217712385"
accountType: "AWS"
azureSecretType: null
correlationGuid: null
creatorsPolicies: {roles: [{,…}, {data: {,…},…}, {,…}, {,…}, {,…},…],…}
customerId: 1
devices: [{role: "saas-assume-role", region: "us-east-1", ipAddress: "44.209.31.133",…},…]
errors: ["UNCLASSIFIED"]
guid: "SEC-53216"
isActive: true
isArchived: true
isIdle: false
lastAccsesTime: "2024-09-04T13:20:06.000Z"
liminalCreationDate: "2024-01-07T14:47:11.071Z"
liminalModifyDate: "2024-10-01T09:05:20.607Z"
modifiersPolicies: {}
origin: "NOT_FOUND"
owner: "saas-assume-role"
ownerAiObject: null
ownerUid: null
riskSeverity: "HIGH"
scanId: 31833820
secretArn: "arn:aws:secretsmanager:us-east-1:937217712385:secret:af3758c6-0595-4fd8-9672-80de6e625134-a9a9360a-cff1-44e8-a1b2-455db04573dc-CIShi7"
secretCreationDate: "2023-12-07T06:10:29.089Z"
secretCreatorJSON: "{\"username\":\"saas-assume-role\",\"userArn\":\"arn:aws:iam::937217712385:user/saas-assume-role\",\"sourceIP\":\"44.209.31.133\",\"accessTime\":\"2023-12-07T06:10:29.000Z\",\"userAgent\":\"aws-sdk-js/3.332.0 os/linux/5.10.198-187.748.amzn2.x86_64 lang/js md/nodejs/19.9.0 api/secrets_manager/3.332.0 exec-env/AWS_ECS_FARGATE\",\"eventName\":\"CreateSecret\"}"
secretLastAccessorJSON: "{\"username\":\"af3758c6-0595-4fd8-9672-80de6e625
secretLastModifierJSON: "{\"username\":\"saas-assume-role\",\"user
secretModifiedDate: "2024-09-26T18:38:51.643Z"
secretName: "af3758c6-0595-4fd8-9672-80de6e625134-a9a9360a-cff1-44e8-a1b2-455db04573dc"
secretObject: {}
secretRotationDate: "2023-12-07T06:10:29.089Z"
secretStore: "us-east-1"
secretTotalAccess: 3838
secretTotalAccessors: 1
secretTotalIp: 620
secretTotalUserAgent: 1
secretVersion: ""
state: null
tags: {tags: []}
uid: "c719536c-77ad-4f65-9960-0577a485e38f"
vaultName: "us-east-1"
vaultPermissions: {}
versionCount: 12