Skip to content

Secret Was Fetched by a New Workload

Ecosystem support

  • AWS Secrets Manager

  • Azure Key Vault

  • GCP Secrets Manager

Description

A new workload (IP Address) retrieved a secret, indicating possible malicious activity. Reviewing this behavior is highly recommended.

Risk triggers

Any secret was fetched by a new IP address that was never recorded on SailPoint Entro’s platform

Mitigation

Review newly detected workload

  1. It's not common to have new workloads accessing your secrets often, try to determine if accessor activity is legitimate and expected.

    • Ask the actor why new IP address was used

    • Investigate the secret's activity to determine if the client information (user-agent) is identical to previous activities.