Skip to content

Generic Secret Detections

Clarifications about Generic Detections

SailPoint Entro monitors generic secrets and credentials. They only generate an incident if enriched with context from their surrounding code or content to label their target service type.

Generic curl user and password Observed once User & Password combination appears near a "Curl" command for authorization curl -u myuser:mypass
Generic key Observed for any text combination of the keywords: "key", "api key", "secret", "token", "auth", "pat", "access", "client" - along with a high entropy string, and AI processing for false positive elimination my-serv-secret: dj2983cn928cyr9n82ynr9298cjuc3a
Generic creds Observed for any text combination of the keywords: "pw", "pwd", "pass", "cred" - along with a delimiter, high entropy string, and AI processing for false positive elimination SERVER_CREDENTIALS: A$@KFdj123
Generics Auth B64 Observed for decoded B64 strings for basic authorization strings "Authorization": "Basic aW50ZXJuc2hpcDpjZGk="

Qualifications for Generic Detections

To capture high-fidelity secret detections only, SailPoint Entro has identified a specific characteristic to qualify only strong detections as a Generic Secret:

  • High Entropy secret payload

  • Placeholder text such as "dummy", "test", or "example" strings won't qualify as valid detections for a secret payload. See examples below.

Redacted
Dummy
Test
Masked
******
SAMPLE
DELETED
VAULT
123456
  • The secret string for the "Generic Key" must be at least 14 characters long and include all the following: uppercase letters, lowercase letters, and digits.

  • Secret string for "Generic Creds" should be at least 5 chars long

  • AI analyzed ContextIQ determines it's a true positive detection based on its context.

  • Doesn't include the following 'excluded strings' in the secret payload

Excluded Strings - Generic Keys

'secret',
'token',
'cred',
'apikey',
'api.key',
'api_key',
'api-key',
'id_',
'id.',
'id-',
'trnsl',
'ops_kem',
'pos',
'aes',
'wpa',
'new',
'sec',
'zte',
'auto',
'options',
'preview',
'abcd',
'wpa',
'sec_',
'sec-',
'sec.',
'zte',
'com.',
'parentkey',
'auto',
'enrich',
'frontend',
'layout',
'group',
'field',
'gatsby',
'transform',
'random',
'12345',
'4321',
'_size',
'test',
'country',
'length',
'template',
'get_',
'get.',
'get-',
'preview',
'alpha',
'beta',
'fake',
'keyring',
'web_app',
'web.app',
'web-app',
'webapp',
'aizasy',
'example',
'/tmp/',
'crypt',
'encod',
'api-key',
'.env',
'trim',
'.result',
'author',
'random',
'/usr/',
'/bin/',
'/sbin/',
'/root/',
'/var/',
'util',
'azure/key-vault',
'serial',
'pubkey',
'pub_key',
'pub key',
'PWD}:',
'inetpub',
'pwd):/',
'aws.',
'/usr/',
'/src/',
'/home/',
'contains',
'$SECRET docker',
'fullname',
'logging',
'opencase',
'TestBuild',
'error',
'append',
'block',
'subscr',
'publish',
'Accessibil',
'percent',
'split',
'button',
'confirm',
'[username',
'foobar',
'struct',
'include',
'args.secret',
'/opt/',
'undefined',
'::tests',
'description',
'_main',
'setting',
'install',
'observ',
'match',
'> <',
'TextNode',
'/oauth',
'auth/',
'auth2/',
'unauth',
'search',
'upload',
'/mnt',
'undeploy',
'recognized',
'apis/google',
'apis.auth/',
'auth.acces',
'pi.auth.',
'auth.',
'import',
'native',
'random',
'/lib/',
'.dll',
'key_vault',
'.html',
'help',
'github-app-token@',
'get-secret',
'github-actions',
'apikey',
'certificate',
'.cs',
'.go',
'.md',
'/mnt',
'api-auth',
'clientside',
'helper',
'serverless',
'transport',
"VAR",
".xml",
".png",
".jpeg",
".gif",
"file",
'.pem'

Excluded Strings - Generic Credentials

'pwd',
'pass',
'password',
'cred',
'decoded',
'encoded',
'map',
'type',
'parse',
'false',
'true',
'await',
'default',
'string',
'env',
'bool',
'your',
'get',
'ask',
'set',
'number',
'persist',
'api_key',
'apikey',
'token',
'field',
'allow',
'input',
'base',
'verify',
'new-',
'obj',
'opt.',
'jwt',
'b64',
'base64',
'create',
'generate',
'config',
'hash',
'sha',
'range',
'/etc/',
'auth',
'data',
'%s',
'plain',
'abcdefghijklmnopqr',
'parse',
'json',
'await',
'sso',
'response',
'applic',
'case',
'return',
'valid',
'const',
'var',
'class',
'sdk',
'signal',
'encrypt',
'option',
'read',
'load',
'patch',
'fail',
'message',
'1.1',
'0.0',
'2.2',
'search',
'origin',
'protocol',
'file',
'undefined',
'null',
'update',
'emit',
'salt',
'object',
'secure',
'bcrypt',
'encrypted',
'sha256',
'function',
'removed',
'create',
'email$',
'base64',
'account',
'mysqli_real_escape',
'presence',
'share',
'expression',
'form',
'candidate',
'search',
'reg',
'model',
'type',
'uid',
'new',
'const',
'confirmer',
'throw',
'login',
'enter',
'input',
'config',
'ask',
'nombre',
'text',
'attr',
'html',
'attribute',
'label',
'type',
'swift',
'phone',
'class',
'anonymous',
'placeholder',
'validator',
'callback',
'field',
'url',
'args',
'wrong',
'cleaned',
'validated',
'please',
'django',
'required',
'disabled',
'change',
'foo',
'await',
'wrong pass',
'before',
'errors',
'request',
'value',
'guest',
'123213123',
'demo',
'ansible',
'java',
'request',
'auth_email',
'temp$',
'new$',
'your',
'raw',
'email',
'self',
'final$',
'prompt',
'and',
'empty',
'redacted',
'localhost',
'Saucelle',
'mailto',
'some-project-nam',
'passage',
'https',
'/home/',
'/opt/',
'vault',
'error',
'none',
'reqbody',
'(str',
'path.',
'resolve',
'node',
'count',
'.yml',
'.pem',
'this.',
'keyname@your-project',
'prope',
'.env',
'trim',
'/usr/',
'/bin/',
'/sbin/',
'/root/',
'encode',
'decode',
'crypt',
'random-key',
'/var/',
'util',
'param',
'acctpwd',
'oobesys',
'PwdAge',
'image',
'unifx',
'X-AMZ-Cred',
'append',
'prefix',
'split',
'warning',
'enable',
'.username',
'undefine',
'dict(',
'len(',
'.join',
'prop',
'xpath',
'query',
'found',
':ro',
':rw',
'replace',
'current',
'working',
'connect',
'/home/',
'timestamp',
'argv',
'str(',
'/src/',
'/app',
'system',
'os.',
'process',
'path.',
'.arg',
'unicode',
'!vault',
'int32',
'int64',
'stats',
'2,3,4,',
'array',
'obje',
'string',
'to_be_added',
'async',
'token',
'save',
'.call',
'.host',
'PWD}:',
'inetpub',
'pwd):/',
'aws.',
'/usr/',
'/src/',
'/home/',
'contains',
'$SECRET docker',
'fullname',
'logging',
'opencase',
'TestBuild',
'error',
'append',
'block',
'subscr',
'publish',
'Accessibil',
'percent',
'split',
'button',
'confirm',
'[username',
'foobar',
'struct',
'include',
'/opt/',
'undefined',
'::tests',
'description',
'_main',
'setting',
'install',
'observ',
'match',
'> <',
'TextNode',
'pwll',
'pwn',
'pwnage',
'pwr',
'pwder',
'ASIA',
'pws',
'output',
'Passed',
'Passo',
'pwork',
'pwv',
'pwc',
'pass&',
'PWS',
'pwa',
'ass 1',
'ass 2',
'ass 3',
'ass 4',
'ass 5',
'ass 6',
'ass,',
'w==,',
'helper',
'delta',
'clientside',
'certificate',
'helm-deploy',
'-plugin',
':in',
'/tmp',
'added',
'artifacts',
'available',
'c:\\',
'collecting',
'D:\\',
'duration',
'ensure',
'expected',
'forgot',
'header',
'identity',
'ignore',
'public',
'reason',
'rsa-key-',
'select',
'successfull',
'unable',
"private",
"ciper",
"personal",
"keychain",
"correct",
"store",
"repeat",
"reset",
"http",
"cert",
" at ",
"http://",
"https://",
"Traceback",
"href",
"VAR",
".xml",
".png",
".jpeg",
".gif",
"file",
"never",

AI Classification Enriched Services (1000+)

SailPoint Entro automatically tags potential exposed secret services using pre-defined names. It employs GenAI, entropy-based analysis, and secret-like characteristics. So in this case, secrets from those 1000+ services can be detected and tagged regardless if it's supported by SailPoint Entro rules mentioned above.

Low-Confidence Detections

Experimental, partial, or informational detections that do not necessarily grant access to sensitive information or authorization.

Generic Auth B64