Generic Secret Detections
Clarifications about Generic Detections
SailPoint Entro monitors generic secrets and credentials. They only generate an incident if enriched with context from their surrounding code or content to label their target service type.
| Generic curl user and password | Observed once User & Password combination appears near a "Curl" command for authorization | curl -u myuser:mypass |
|---|---|---|
| Generic key | Observed for any text combination of the keywords: "key", "api key", "secret", "token", "auth", "pat", "access", "client" - along with a high entropy string, and AI processing for false positive elimination | my-serv-secret: dj2983cn928cyr9n82ynr9298cjuc3a |
| Generic creds | Observed for any text combination of the keywords: "pw", "pwd", "pass", "cred" - along with a delimiter, high entropy string, and AI processing for false positive elimination | SERVER_CREDENTIALS: A$@KFdj123 |
| Generics Auth B64 | Observed for decoded B64 strings for basic authorization strings | "Authorization": "Basic aW50ZXJuc2hpcDpjZGk=" |
Qualifications for Generic Detections
To capture high-fidelity secret detections only, SailPoint Entro has identified a specific characteristic to qualify only strong detections as a Generic Secret:
-
High Entropy secret payload
-
Placeholder text such as "dummy", "test", or "example" strings won't qualify as valid detections for a secret payload. See examples below.
-
The secret string for the "Generic Key" must be at least 14 characters long and include all the following: uppercase letters, lowercase letters, and digits.
-
Secret string for "Generic Creds" should be at least 5 chars long
-
AI analyzed ContextIQ determines it's a true positive detection based on its context.
-
Doesn't include the following 'excluded strings' in the secret payload
Excluded Strings - Generic Keys
'secret',
'token',
'cred',
'apikey',
'api.key',
'api_key',
'api-key',
'id_',
'id.',
'id-',
'trnsl',
'ops_kem',
'pos',
'aes',
'wpa',
'new',
'sec',
'zte',
'auto',
'options',
'preview',
'abcd',
'wpa',
'sec_',
'sec-',
'sec.',
'zte',
'com.',
'parentkey',
'auto',
'enrich',
'frontend',
'layout',
'group',
'field',
'gatsby',
'transform',
'random',
'12345',
'4321',
'_size',
'test',
'country',
'length',
'template',
'get_',
'get.',
'get-',
'preview',
'alpha',
'beta',
'fake',
'keyring',
'web_app',
'web.app',
'web-app',
'webapp',
'aizasy',
'example',
'/tmp/',
'crypt',
'encod',
'api-key',
'.env',
'trim',
'.result',
'author',
'random',
'/usr/',
'/bin/',
'/sbin/',
'/root/',
'/var/',
'util',
'azure/key-vault',
'serial',
'pubkey',
'pub_key',
'pub key',
'PWD}:',
'inetpub',
'pwd):/',
'aws.',
'/usr/',
'/src/',
'/home/',
'contains',
'$SECRET docker',
'fullname',
'logging',
'opencase',
'TestBuild',
'error',
'append',
'block',
'subscr',
'publish',
'Accessibil',
'percent',
'split',
'button',
'confirm',
'[username',
'foobar',
'struct',
'include',
'args.secret',
'/opt/',
'undefined',
'::tests',
'description',
'_main',
'setting',
'install',
'observ',
'match',
'> <',
'TextNode',
'/oauth',
'auth/',
'auth2/',
'unauth',
'search',
'upload',
'/mnt',
'undeploy',
'recognized',
'apis/google',
'apis.auth/',
'auth.acces',
'pi.auth.',
'auth.',
'import',
'native',
'random',
'/lib/',
'.dll',
'key_vault',
'.html',
'help',
'github-app-token@',
'get-secret',
'github-actions',
'apikey',
'certificate',
'.cs',
'.go',
'.md',
'/mnt',
'api-auth',
'clientside',
'helper',
'serverless',
'transport',
"VAR",
".xml",
".png",
".jpeg",
".gif",
"file",
'.pem'
Excluded Strings - Generic Credentials
'pwd',
'pass',
'password',
'cred',
'decoded',
'encoded',
'map',
'type',
'parse',
'false',
'true',
'await',
'default',
'string',
'env',
'bool',
'your',
'get',
'ask',
'set',
'number',
'persist',
'api_key',
'apikey',
'token',
'field',
'allow',
'input',
'base',
'verify',
'new-',
'obj',
'opt.',
'jwt',
'b64',
'base64',
'create',
'generate',
'config',
'hash',
'sha',
'range',
'/etc/',
'auth',
'data',
'%s',
'plain',
'abcdefghijklmnopqr',
'parse',
'json',
'await',
'sso',
'response',
'applic',
'case',
'return',
'valid',
'const',
'var',
'class',
'sdk',
'signal',
'encrypt',
'option',
'read',
'load',
'patch',
'fail',
'message',
'1.1',
'0.0',
'2.2',
'search',
'origin',
'protocol',
'file',
'undefined',
'null',
'update',
'emit',
'salt',
'object',
'secure',
'bcrypt',
'encrypted',
'sha256',
'function',
'removed',
'create',
'email$',
'base64',
'account',
'mysqli_real_escape',
'presence',
'share',
'expression',
'form',
'candidate',
'search',
'reg',
'model',
'type',
'uid',
'new',
'const',
'confirmer',
'throw',
'login',
'enter',
'input',
'config',
'ask',
'nombre',
'text',
'attr',
'html',
'attribute',
'label',
'type',
'swift',
'phone',
'class',
'anonymous',
'placeholder',
'validator',
'callback',
'field',
'url',
'args',
'wrong',
'cleaned',
'validated',
'please',
'django',
'required',
'disabled',
'change',
'foo',
'await',
'wrong pass',
'before',
'errors',
'request',
'value',
'guest',
'123213123',
'demo',
'ansible',
'java',
'request',
'auth_email',
'temp$',
'new$',
'your',
'raw',
'email',
'self',
'final$',
'prompt',
'and',
'empty',
'redacted',
'localhost',
'Saucelle',
'mailto',
'some-project-nam',
'passage',
'https',
'/home/',
'/opt/',
'vault',
'error',
'none',
'reqbody',
'(str',
'path.',
'resolve',
'node',
'count',
'.yml',
'.pem',
'this.',
'keyname@your-project',
'prope',
'.env',
'trim',
'/usr/',
'/bin/',
'/sbin/',
'/root/',
'encode',
'decode',
'crypt',
'random-key',
'/var/',
'util',
'param',
'acctpwd',
'oobesys',
'PwdAge',
'image',
'unifx',
'X-AMZ-Cred',
'append',
'prefix',
'split',
'warning',
'enable',
'.username',
'undefine',
'dict(',
'len(',
'.join',
'prop',
'xpath',
'query',
'found',
':ro',
':rw',
'replace',
'current',
'working',
'connect',
'/home/',
'timestamp',
'argv',
'str(',
'/src/',
'/app',
'system',
'os.',
'process',
'path.',
'.arg',
'unicode',
'!vault',
'int32',
'int64',
'stats',
'2,3,4,',
'array',
'obje',
'string',
'to_be_added',
'async',
'token',
'save',
'.call',
'.host',
'PWD}:',
'inetpub',
'pwd):/',
'aws.',
'/usr/',
'/src/',
'/home/',
'contains',
'$SECRET docker',
'fullname',
'logging',
'opencase',
'TestBuild',
'error',
'append',
'block',
'subscr',
'publish',
'Accessibil',
'percent',
'split',
'button',
'confirm',
'[username',
'foobar',
'struct',
'include',
'/opt/',
'undefined',
'::tests',
'description',
'_main',
'setting',
'install',
'observ',
'match',
'> <',
'TextNode',
'pwll',
'pwn',
'pwnage',
'pwr',
'pwder',
'ASIA',
'pws',
'output',
'Passed',
'Passo',
'pwork',
'pwv',
'pwc',
'pass&',
'PWS',
'pwa',
'ass 1',
'ass 2',
'ass 3',
'ass 4',
'ass 5',
'ass 6',
'ass,',
'w==,',
'helper',
'delta',
'clientside',
'certificate',
'helm-deploy',
'-plugin',
':in',
'/tmp',
'added',
'artifacts',
'available',
'c:\\',
'collecting',
'D:\\',
'duration',
'ensure',
'expected',
'forgot',
'header',
'identity',
'ignore',
'public',
'reason',
'rsa-key-',
'select',
'successfull',
'unable',
"private",
"ciper",
"personal",
"keychain",
"correct",
"store",
"repeat",
"reset",
"http",
"cert",
" at ",
"http://",
"https://",
"Traceback",
"href",
"VAR",
".xml",
".png",
".jpeg",
".gif",
"file",
"never",
AI Classification Enriched Services (1000+)
SailPoint Entro automatically tags potential exposed secret services using pre-defined names. It employs GenAI, entropy-based analysis, and secret-like characteristics. So in this case, secrets from those 1000+ services can be detected and tagged regardless if it's supported by SailPoint Entro rules mentioned above.
Low-Confidence Detections
Experimental, partial, or informational detections that do not necessarily grant access to sensitive information or authorization.