Vault Dump
Description
A single identity revealing all the secrets in your secret vault could be a sign of possible malicious activity and pose a serious threat to your business. It's crucial to investigate and determine the legitimacy of this action.

Detection triggers
-
Single identity fetching an entire vault, in a range of 7 days maximum.
-
This rule will only trigger if the vault contains at least 3 secrets.
Mitigation
Review abnormal activity
Fetching all the secrets from a single vault is considered an anomaly. There's usually no legitimate explanation to justify this activity other than malicious intentions, or backing up during a potential migration. Review this activity by following these steps:
-
Review the "Triggering Logs" tab to check for the following behavior.
-
If the activity is re-occurring.
-
Is the workload IP and client identical to its previous usage.
-
-
Investigate the actor identity responsible for the activity to understand if it's legitimate and expected.
-
If legitimate, move this risk status to 'approved'.
-
Otherwise, consider rotating all secrets and investigating the actors.
-
JSON Example
Risk JSON
account: {environment: "Demo", environmentType: DEMO}
accountId: "674845835668"
accountType: "AWS"
category: "ABNORMAL_BEHAVIOR"
correlationGuid: "NTR-126824"
creationDate: "2024-08-13T05:15:52.235Z"
customData: null
customerId: 34
data: {region: "us-east-1", username: "Adminolog"}
description: "A single identity revealing all the secrets in your secret vault could be a sign of possible malicious activity and pose a serious threat to your business. It's crucial to investigate and determine the legitimacy of this action."
destination: null
guid: "RSK-6579"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 21078
isArchived: false
key: "VAULT_DUMP-us-east-1-Adminolog"
linkedElements: ["SEC-1780", "SEC-1770", "SEC-1783", "SEC-1777", "SEC-1779", "SEC-1776", "SEC-1765", "SEC-1782",…]
logChangeType: null
modifyDate: "2024-10-29T10:19:44.466Z"
name: "Vault dump"
occurrences: ["AWS_SECRETS_MANAGER"]
owner: "Ron"
ownerAiObject: {similarity: 0.9111111111111111, ownerItemType: "email", elementItemType: "username",…}
ownerUid: "08bf0a5b-3373-4d59-ace6-6f96470e0a26"
path: "us-east-1/3434243"
ruleCode: "VAULT_DUMP"
scanId: 2941938
severity: "HIGH"
source: "AWS"
status: "OPEN"
tags: ["Imminent Risk", "Insider Threat", "Abnormal Behavior", "Programmatic", "App"]
tasks: [{customerId: 34, riskId: 21078, type: "REVIEW_ACTIVITY", level: "HARD",…}]
type: "WORKLOAD"
Linked Element (Vaulted Secret) JSON, an example of one of the secrets linked:
account: {environment: "Demo", environmentType: DEMO, accountType: "AWS", id: "674845835668"}
accountId: "674845835668"
accountType: "AWS"
azureSecretType: null
correlationGuid: null
customerId: 34
devices: [{role: "Ron-Kaminski", region: "us-east-1", ipAddress: "34.239.28.160",…},…]
errors: ["UNCLASSIFIED"]
guid: "SEC-1780"
isActive: true
isArchived: false
isIdle: false
lastAccsesTime: "1800-01-01T00:00:00.000Z"
liminalCreationDate: "2024-08-12T23:45:14.344Z"
liminalModifyDate: "2024-10-29T13:49:36.516Z"
origin: null
owner: "Ron"
ownerAiObject: {similarity: 0.9111111111111111, ownerItemType: "email", elementItemType: "username",…}
ownerUid: "08bf0a5b-3373-4d59-ace6-6f96470e0a26"
riskSeverity: "HIGH"
scanId: 2947765
secretArn: "arn:aws:secretsmanager:us-east-1:674845835668:secret:3434243-HKVF1P"
secretCreationDate: "2023-06-07T12:21:52.149Z"
secretCreatorJSON: "null"
secretLastAccessorJSON: "{\"username\":\"Ron-Kaminski\",\"userArn\":\"arn:aw
secretLastModifierJSON: "null"
secretModifiedDate: "2023-06-07T12:21:52.190Z"
secretName: "3434243"
secretObject: {}
secretRotationDate: "2023-06-07T12:21:52.149Z"
secretStore: "us-east-1"
secretTotalAccess: 783
secretTotalAccessors: 2
secretTotalIp: 2
secretTotalUserAgent: 6
secretVersion: "4cc023c6-3944-4807-b658-33d757cb07ac"
state: null
tags: {tags: ["Programmatic", "App"]}
uid: "66ff2086-7a88-4549-8bea-a3ee83551b47"
vaultName: "us-east-1"
vaultPermissions: {}
versionCount: 1