Skip to content

Idle Identity Fetched a Secret

Description

When a user that has been inactive for a period of time becomes active again, it could potentially pose a security threat to your organization, especially if his first actions are to fetch secrets. It's important to be aware of this and take the necessary precautions to ensure that user activity is legitimate.

Detection triggers

  • Identity was idle for more than 30 days

  • One of the first actions of the idle identity is to retrieve a secret from a vault

Mitigation

Review abnormal activity

Idle identities fetching secrets isn't common. Try to look for potential justifications for this activity, such as older secret related events by this actor.

JSON Example

Risk JSON

account: {environment: "DemoStraw", environmentType: "DEMO"}
accountId: "937217712385"
accountType: "AWS"
category: "ABNORMAL_BEHAVIOR"
correlationGuid: null
creationDate: "2024-08-13T22:43:45.306Z"
customData: null
customerId: 1
data: {,…}
description: "When a user that has been inactive for a period of time becomes active again, it could potentially pose a security threat to your organization, especially if his first actions are to fetch secrets. It's important to be aware of this and take the necessary precautions to ensure that user activity is legitimate."
destination: "NOT_FOUND"
guid: "RSK-54857"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 623341
isArchived: false
key: "IDLE_ID_FETCH_SECRET-SEC-53216"
linkedElements: ["SEC-53216"]
logChangeType: null
modifyDate: "2024-08-13T22:43:45.306Z"
name: "Idle identity fetched a production secret"
occurrences: []
owner: "saas-assume-role"
ownerAiObject: null
ownerUid: null
path: "us-east-1/af3758c6-0595-4fd8-9672-80de6e625134-a9a9360a-cff1-44e8-a1b2-455db04573dc"
ruleCode: "IDLE_ID_FETCH_SECRET"
scanId: 24098807
severity: "HIGH"
source: "AWS"
status: "OPEN"
tags: ["Abnormal Behavior", "Programmatic", "App", "DemoStraw"]
tasks: [{customerId: 1, riskId: 623341, type: "REVIEW_ACTIVITY", level: "HARD",…}]
type: "BLAST"

Linked Element (Vaulted Secret) JSON

accessorsPolicies: {}
account: {environment: "DemoStraw", environmentType: "DEMO", accountType: "AWS", id: "937217712385"}
accountId: "937217712385"
accountType: "AWS"
azureSecretType: null
correlationGuid: null
creatorsPolicies: {roles: [{,…}, {data: {,…},…}, {,…}, {,…}, {,…},…],…}
customerId: 1
devices: [{role: "saas-assume-role", region: "us-east-1", ipAddress: "44.209.31.133",…},…]
errors: ["UNCLASSIFIED"]
guid: "SEC-53216"
isActive: true
isArchived: true
isIdle: false
lastAccsesTime: "2024-09-04T13:20:06.000Z"
liminalCreationDate: "2024-01-07T14:47:11.071Z"
liminalModifyDate: "2024-10-01T09:05:20.607Z"
modifiersPolicies: {}
origin: "NOT_FOUND"
owner: "saas-assume-role"
ownerAiObject: null
ownerUid: null
riskSeverity: "HIGH"
scanId: 31833820
secretArn: "arn:aws:secretsmanager:us-east-1:937217712385:secret:af3758c6-0595-4fd8-9672-80de6e625134-a9a9360a-cff1-44e8-a1b2-455db04573dc-CIShi7"
secretCreationDate: "2023-12-07T06:10:29.089Z"
secretCreatorJSON: "{\"username\":\"saas-assume-role\",\"userArn\":\"arn:aws:iam::937217712385:user/saas-assume-role\",\"sourceIP\":\"44.209.31.133\",\"accessTime\":\"2023-12-07T06:10:29.000Z\",\"userAgent\":\"aws-sdk-js/3.332.0 os/linux/5.10.198-187.748.amzn2.x86_64 lang/js md/nodejs/19.9.0 api/secrets_manager/3.332.0 exec-env/AWS_ECS_FARGATE\",\"eventName\":\"CreateSecret\"}"
secretLastAccessorJSON: "{\"username\":\"af3758c6-0595-4fd8-9672-80de6e625
secretLastModifierJSON: "{\"username\":\"saas-assume-role\",\"user
secretModifiedDate: "2024-09-26T18:38:51.643Z"
secretName: "af3758c6-0595-4fd8-9672-80de6e625134-a9a9360a-cff1-44e8-a1b2-455db04573dc"
secretObject: {}
secretRotationDate: "2023-12-07T06:10:29.089Z"
secretStore: "us-east-1"
secretTotalAccess: 3838
secretTotalAccessors: 1
secretTotalIp: 620
secretTotalUserAgent: 1
secretVersion: ""
state: null
tags: {tags: []}
uid: "c719536c-77ad-4f65-9960-0577a485e38f"
vaultName: "us-east-1"
vaultPermissions: {}
versionCount: 12