---
title: Cisco Duo integration API secret key viewed in plaintext
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Cisco Duo integration API secret key
  viewed in plaintext
---

# Cisco Duo integration API secret key viewed in plaintext
Classification:detection-engineTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1552-unsecured-credentials](https://attack.mitre.org/techniques/T1552) 
## Goal{% #goal %}

Detects when a Cisco Duo administrator views an application integration secret key in plaintext, which exposes the credential needed to make authenticated API calls on behalf of that integration.

## Strategy{% #strategy %}

This rule monitors Cisco Duo activity logs for `integration_skey_view` and `integration_skey_bulk_view` actions. Each Cisco Duo integration (also called an application) is associated with an integration key and a secret key that together authenticate API calls to Duo's service. Viewing the secret key in plaintext through the Duo admin panel is a high-risk administrative action that is rarely performed in normal operations. Bulk viewing (`integration_skey_bulk_view`) is particularly suspicious as it can expose all integrations simultaneously. This action maps to credential theft through unsecured credential discovery and can enable lateral movement to all Duo-protected applications.

## Triage and Response{% #triage-and-response %}

- Verify with `{{@usr.email}}` whether there was a legitimate, documented reason to view the integration secret key at the time recorded.
- Identify which specific integration's secret key was accessed and assess what applications and systems are protected by that integration.
- Determine if the secret key exposure was followed by any anomalous API calls or authentication activity attributable to that integration.
- Review recent activity from `{{@access_device.ip.address}}` for other indicators of compromise, including lateral movement or unauthorized configuration changes.
- If the access was unauthorized, immediately rotate the secret key for the affected integration to invalidate any credentials the attacker may have obtained.
- For `integration_skey_bulk_view` events, treat all integration secret keys as potentially compromised and initiate rotation for all affected integrations.
