Anomalous number of secrets retrieved from AWS Secrets Manager

Goal

Detect when an anomalous number of secrets are retrieved from AWS Secrets Manager.

Strategy

This rule lets you monitor the GetSecretValue CloudTrail API call to detect when a secret is retrieved. The anomaly detection generates a security signal when a user deviates from their baseline.

For more information about the anomaly detection method, see Detect security threats with anomaly detection rules.

Triage and response

  1. Determine whether the identity: {{@userIdentity.arn}} is expected to access the AWS Secrets Manager and the secret values within @requestParameters.secretId.
  2. If the activity is legitimate, consider including the user in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If the activity is unusual:
    • Contact the user: {{@userIdentity.arn}} and see if they made the API call.
    • Use the Cloud SIEM - User Investigation dashboard to see if the user {{@userIdentity.arn}} has taken other actions.
    • Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP {{@network.client.ip}}.
  4. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process as well as an investigation.