SolarWinds Orion API Key
Service Name: SolarWinds Orion
Service Description: SolarWinds Orion is a comprehensive IT infrastructure monitoring and management platform that provides visibility into the performance of networks, systems, and applications across on-premises, hybrid, and cloud environments.
Service Address: https://www.solarwinds.com/orion-platform
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the Orion server level through Windows Firewall settings or network access controls.
Secret Access Scope: Grants programmatic access to the SolarWinds Orion Platform API, allowing for monitoring, configuration, and management of network devices, servers, applications, and other IT infrastructure components.
Secret Revokement URL: https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-managing-user-accounts-sw1184.htm
Secret Example: OrionAPIKey_a1b2c3d4-e5f6-7890-abcd-ef1234567890
Suspicious Activity Investigation Instructions:
- Review Orion Platform audit logs for unusual API calls or access patterns
- Check for unauthorized changes to monitored devices or configurations
- Monitor for unexpected data queries or export operations
- Verify if there are any new scheduled tasks or jobs created through the API
- Look for access from unusual IP addresses or outside normal business hours
- Review any changes to alert configurations or thresholds
Mitigation Instructions:
- Log in to the SolarWinds Orion Web Console as an administrator
- Navigate to Settings > All Settings > User Accounts
- Locate the user account associated with the compromised API key
- Reset the user's password and generate a new API key
- Alternatively, disable the user account if immediate access termination is
required
- Review and update API access permissions for all users
- Consider implementing IP restrictions for API access if not already in place
- Enable multi-factor authentication for administrative accounts
- Review and update your organization's secret rotation policies