Unusual secret management activity

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: AWS Audit Log OR Azure Audit Log OR Gcp Audit Log
Detection Modules	Cloud
ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Unsecured Credentials (T1552) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
Severity	Informational

A cloud Identity performed a secret management operation for the first time.

Abuse exposed secrets to gain access to restricted cloud resources and applications.

Check the identity's role designation in the organization.
Verify that the identity did not perform any sensitive secret management operation that it shouldn't.