Anomalous number of secrets retrieved from AWS Secrets Manager

Docs > Plateforme de sécurité Datadog > OOTB Rules > Anomalous number of secrets retrieved from AWS Secrets Manager

Classification:

attack

Tactic:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an anomalous number of secrets are retrieved from AWS Secrets Manager.

Strategy

This rule lets you monitor the GetSecretValue CloudTrail API call to detect when a secret is retrieved. The anomaly detection generates a security signal when a user deviates from their baseline.

For more information about the anomaly detection method, see Detect security threats with anomaly detection rules.

Triage and response

Determine whether the identity: {{@userIdentity.arn}} is expected to access the AWS Secrets Manager and the secret values within @requestParameters.secretId.
If the activity is legitimate, consider including the user in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
If the activity is unusual:
- Contact the user: {{@userIdentity.arn}} and see if they made the API call.
- Use the Cloud SIEM - User Investigation dashboard to see if the user {{@userIdentity.arn}} has taken other actions.
- Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP {{@network.client.ip}}.
If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process as well as an investigation.