AWS Access Secret in Secrets Manager | Elastic Security Solution [7.9]

The SIEM app is now a part of the Elastic Security solution. Click here to view SIEM documentation for previous releases.

› › ›

« Prebuilt rule reference AWS CloudTrail Log Created »

AWS Access Secret in Secrets Manageredit

An adversary may attempt to access the secrets in AWS Secrets Manager to steal certificates, credentials, or other sensitive material.

Rule type: query

Rule indices:

filebeat-*

Severity: high

Risk score: 73

Runs every: 10 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

AWS
Elastic
SecOps
Data Protection
Continuous Monitoring

Version: 1

Added (Elastic Stack release): 7.9.0

Rule authors: Nick Jones, Elastic

Rule license: Elastic License

Potential false positivesedit

Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If a known behavior is causing false positives, it can be excluded from the rule.

Investigation guideedit

The AWS Filebeat module must be enabled to use this rule.

Rule queryedit

event.dataset:aws.cloudtrail and
event.provider:secretsmanager.amazonaws.com and
event.action:GetSecretValue

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Steal Application Access Token
- ID: T1528
- Reference URL: https://attack.mitre.org/techniques/T1528/

« Prebuilt rule reference AWS CloudTrail Log Created »