Stale (Idle) Secret/Token
Description
Idle tokens, also known as dormant or stale tokens, pose a security risk because they may no longer be actively used, but they still grant access to sensitive information and resources. This can be particularly damaging if the tokens have high privileges, as the attacker can use them to make unauthorized changes or exfiltrate data.

Risk triggers
-
Secret or token that wasn’t used for at least 30 days (by default)
-
Idle thresholds can be configured according to the policies of your organization
Mitigation
Disable and delete tokens not in use.
Idle tokens aren't used by any workload.
-
Step 1:
- You can safely disable them without impacting the organization.
-
Step 2:
- Contact the token owner and let him know it is no longer needed.
JSON Example
Risk JSON
account: {environment: "QA", environmentType: "QA"}
accountId: "64067yo0-2ff1-45ec-44d9-151a89594456"
accountType: "AZURE"
category: "SECRET_HYGINE"
correlationGuid: "NTR-155825"
creationDate: "2024-09-15T17:40:30.902Z"
customData: null
customerId: 34
data: {,…}
description: "Idle tokens, also known as dormant or stale tokens, pose a security risk because they may no longer be actively used, but they still grant access to sensitive information and resources. This can be particularly damaging if the tokens have high privileges, as the attacker can use them to make unauthorized changes or exfiltrate data."
destination: "AZURE_APP_TOKEN"
guid: "RSK-8482"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 38517
isArchived: false
key: "IDLE_TOKEN-TKN-899"
linkedElements: ["TKN-899"]
logChangeType: null
modifyDate: "2024-10-31T00:45:56.655Z"
name: "Idle token"
occurrences: ["AZURE_APP_REGISTRATION_SECRET"]
owner: "Will Costner"
ownerAiObject: {similarity: 1, ownerItemType: "fullname", elementItemType: "username",…}
ownerUid: "f868df47-b202-4ab5-8474-4ba3f6fef1ab"
path: "e47d9c37-1d6b-4718-8b83-64bec62ea45b"
ruleCode: "IDLE_TOKEN"
scanId: 3028867
severity: "LOW"
source: "AZURE"
status: "OPEN"
tags: ["Hygiene", "QA"]
tasks: [{customerId: 34, riskId: 38517, type: "REVOKE_IDLE_TOKEN", level: "EASY",…}]
type: "NOT_USED"
Linked Element (Vaulted Secret/NHI Token) JSON
accessedDate: null
account: {environment: "QA", environmentType: "QA", accountType: "AZURE",…}
accountId: "64067yo0-2ff1-45ec-44d9-151a89594456"
accountType: "AZURE"
awsPolicies: null
azurePermissions: {delegated: [], application: [{id: "txtHuu9JvECFDiBXsDQ-2453H4f9wQNJuaUXJIZV0E4",…},…]}
azureRoles: "[]"
correlationGuid: "NTR-155825"
creationDate: "2024-06-16T08:21:27.639Z"
creator: null
customerId: 34
devices: null
guid: "TKN-899"
infoJSON: "{\"customKeyIdentifier\":null,\"displayName\":\"TestTriage\",\"endDateTime\":\"2024-12-13T09:21:27.639Z\",\"hint\":\"tsu\",\"keyId\":\"e47d9c37-1d6b-4718-8b83-64bec62ea45b\",\"secretText\":null,\"startDateTime\":\"2024-06-16T08:21:27.639Z\",\"owner\":\"Entro\",\"publisherDomain\":\"entro.security\",\"appDisplayName\":\"Entro\",\"appId\":\"4f941f94-abf8-46e2-86e2-0fcbc8d5f816\",\"tokenId\":\"e47d9c37-1d6b-4718-8b83-64bec62ea45b\"}"
isActive: false
isAdmin: false
isArchived: false
isIdle: true
isProd: false
lastAccessors: null
lastModifiers: null
lastOwnerAiUpdate: null
liminalCreationDate: "2024-06-16T08:21:27.639Z"
liminalModifyDate: "2024-10-22T15:55:04.539Z"
originAccessMethod: "AZURE_APP_TOKEN"
owner: "Will Costner"
ownerAiObject: {similarity: 1, ownerItemType: "fullname", elementItemType: "username",…}
ownerSource: "PERMISSION_NAME"
ownerUid: "f868df47-b202-4ab5-8474-4ba3f6fef1ab"
riskSeverity: "LOW"
rotationDate: "2024-06-16T08:21:27.639Z"
scanId: 2605620
serviceName: null
status: "Active"
tags: null
tokenId: "e47d9c37-1d6b-4718-8b83-64bec62ea45b"
tokenTotalAccess: null
tokenTotalIp: null
tokenTotalUserAgent: null
uid: "6901b2bf-8ad1-444b-8168-7b129d548c45"
userAgent: null
username: "4f941f94-abf8-46e2-86e2-0fcbc8d5f816"