Sample rules
First Time Seen AWS Secret Value Accessed in Secrets Manager
- source: elastic
- technicques:
- T1555
Description
An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may
attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time
a specific user identity has programmatically retrieved a secret value from Secrets Manager using the GetSecretValue
or BatchGetSecretValue actions. This rule assumes that AWS services such as Lambda functions and EC2 instances are
setup with IAM role’s assigned that have the necessary permissions to access the secrets in Secrets Manager. An
adversary with access to a compromised AWS service would rely on its’ attached role to access the secrets in Secrets Manager.
Detection logic
event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and
event.action: (GetSecretValue or BatchGetSecretValue) and event.outcome:success and
not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera")
AWS Secrets Manager Rapid Secrets Retrieval
- source: elastic
- technicques:
- T1555
Description
Identifies rapid secret retrieval activity from AWS Secrets Manager using the GetSecretValue or BatchGetSecretValue API actions. Adversaries who compromise an IAM user, instance role, or temporary credentials may attempt to enumerate or exfiltrate secrets in bulk to escalate privileges, move laterally, or gain persistence. This rule detects 20 or more unique secret retrievals by the same user identity within a short time window, which may indicate credential compromise or automated secret harvesting.
Detection logic
event.dataset: "aws.cloudtrail"
and event.provider: "secretsmanager.amazonaws.com"
and event.action: "GetSecretValue"
and event.outcome: "success"
and not (
user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera")
or source.address: ("kafka.amazonaws.com" or "apidestinations.events.amazonaws.com")
)