Secret Was Fetched by a New Workload
Ecosystem support
-
AWS Secrets Manager
-
Azure Key Vault
-
GCP Secrets Manager
Description
A new workload (IP Address) retrieved a secret, indicating possible malicious activity. Reviewing this behavior is highly recommended.
Risk triggers
Any secret was fetched by a new IP address that was never recorded on SailPoint Entro’s platform
Mitigation
Review newly detected workload
-
It's not common to have new workloads accessing your secrets often, try to determine if accessor activity is legitimate and expected.
-
Ask the actor why new IP address was used
-
Investigate the secret's activity to determine if the client information (user-agent) is identical to previous activities.
-