- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Classification:
attack
Tactic:
Technique:
Detect when a user is attempting to retrieve a high number of secrets while also receiving an error message of AccessDenied
, through Cloudtrail’s GetSecretValue
event.
This rule sets a baseline for user activity in the GetSecretValue
event, and enables the detection of potentially anomalous activity when a user receives an anomalous number of AccessDenied
messages while attempting to retrieve secrets.
An attacker may attempt to enumerate and access the AWS Secrets Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.
{{@userIdentity.session_name}}
to determine if the specific set of API calls are malicious.{{@userIdentity.session_name}}
.aws-cli
command update-secret
or use the AWS Console.25 October 2022 - Updated query.