Rules: AWS CloudTrail - Secrets Manager sensitive admin action observed
Administrative changes to the AWS Secrets Manager aren't overtly hostile, but are generally low volume and can be considered sensitive. These signals highlight when these actions occur and can be used in context of other suspicious activity to raise the risk of a hostile entity. Several Secrets Manager API actions are included and assessed as sensitive.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Execution |
| Apply Risk to Entities | device_hostname, device_ip, user_username, srcDevice_ip |
| Signal Name | AWS CloudTrail - Secrets Manager sensitive admin action observed |
| Summary Expression | {{action}} performed by user: {{user_username}} |
| Score/Severity | Static: 1 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0006, _mitreAttackTechnique:T1552, _mitreAttackTechnique:T1552.004, _mitreAttackTechnique:T1552.005 |
| Origin | Field |
|---|---|
| Normalized Schema | device_hostname |
| Normalized Schema | device_ip |
| Normalized Schema | metadata_deviceEventId |
| Normalized Schema | metadata_product |
| Normalized Schema | metadata_vendor |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | user_username |