T1555.006 Cloud Secrets Management Stores Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let AWSSecretOps = dynamic(["GetSecretValue", "ListSecrets", "DescribeSecret", "BatchGetSecretValue"]);
let AzureSecretOps = dynamic(["SecretGet", "SecretList", "Microsoft.KeyVault/vaults/secrets/read", "Microsoft.KeyVault/vaults/secrets/getSecret"]);
let GCPSecretOps = dynamic(["google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "google.cloud.secretmanager.v1.SecretManagerService.ListSecrets"]);
CloudAppEvents
| where Timestamp > ago(24h)
| where ActionType has_any (AWSSecretOps) or ActionType has_any (AzureSecretOps) or ActionType has_any (GCPSecretOps)
| summarize SecretAccessCount=count(), UniqueSecrets=dcount(tostring(RawEventData.requestParameters.secretId)),
            FirstAccess=min(Timestamp), LastAccess=max(Timestamp)
            by AccountDisplayName, IPAddress, Application
| where SecretAccessCount > 10 or UniqueSecrets > 5
| sort by SecretAccessCount desc

critical severity medium confidence

Data Sources

Cloud Service: Cloud Service Enumeration Application Log: Application Log Content AWS CloudTrail Azure Activity Log GCP Audit Log

Required Tables

CloudAppEvents

False Positives

CI/CD pipelines that retrieve multiple secrets during deployment operations
Application startup routines that batch-load configuration secrets from the secrets manager
Secrets rotation automation that accesses all secrets during scheduled rotation cycles
Infrastructure-as-Code tools (Terraform, Pulumi) that read secrets during plan/apply operations

Splunk

spl

(index=aws sourcetype="aws:cloudtrail" eventName IN ("GetSecretValue", "ListSecrets", "DescribeSecret", "BatchGetSecretValue"))
OR (index=azure sourcetype="azure:audit" operationName="*KeyVault*" operationName IN ("SecretGet", "SecretList", "VaultGet"))
OR (index=gcp sourcetype="google:gcp:pubsub:message" data.protoPayload.methodName="google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion")
| eval cloud_provider=case(
    sourcetype=="aws:cloudtrail", "AWS",
    sourcetype=="azure:audit", "Azure",
    sourcetype=="google:gcp:pubsub:message", "GCP",
    1=1, "Unknown")
| eval identity=coalesce(userIdentity.arn, claims.upn, data.protoPayload.authenticationInfo.principalEmail)
| eval source_ip=coalesce(sourceIPAddress, callerIpAddress, data.protoPayload.requestMetadata.callerIp)
| eval secret_name=coalesce(requestParameters.secretId, properties.id, data.protoPayload.resourceName)
| stats count as SecretAccessCount, dc(secret_name) as UniqueSecrets, earliest(_time) as FirstAccess, latest(_time) as LastAccess by identity, source_ip, cloud_provider
| where SecretAccessCount > 10 OR UniqueSecrets > 5
| sort - SecretAccessCount

critical severity medium confidence

Data Sources

AWS CloudTrail Azure Activity Log GCP Audit Log

Required Sourcetypes

aws:cloudtrail azure:audit google:gcp:pubsub:message

False Positives

CI/CD pipelines retrieving secrets during deployments
Application startup routines that batch-load configuration secrets
Secrets rotation automation during scheduled rotation
Terraform/Pulumi reading secrets during infrastructure operations

Elastic Security (EQL)

eql

sequence by user.name, source.ip with maxspan=1h
  [any where event.dataset in ("aws.cloudtrail", "azure.activitylogs", "gcp.audit")
   and (
     event.action in ("GetSecretValue", "ListSecrets", "DescribeSecret", "BatchGetSecretValue",
                      "SecretGet", "SecretList", "VaultGet")
     or event.action : ("*AccessSecretVersion*", "*SecretManagerService*")
   )
  ] with runs=10

high severity medium confidence

Data Sources

AWS CloudTrail via Elastic Agent AWS integration Azure Activity Logs via Elastic Agent Azure integration GCP Cloud Audit Logs via Elastic Agent Google Cloud integration

Required Tables

logs-aws.cloudtrail-* logs-azure.activitylogs-* logs-gcp.audit-*

False Positives

CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) that retrieve multiple secrets during build or deployment workflows — baseline pipeline service account identities and exclude them by user.name
Terraform or Pulumi runs performing plan/apply operations that enumerate secrets across an environment — expected during large-scale infrastructure provisioning and identifiable by the requesting user agent
Automated secret rotation scripts that access current and new secret versions in bulk — typically execute via dedicated rotation service accounts on predictable schedules that can be allowlisted

IBM QRadar (AQL)

sql

SELECT
  username,
  sourceip,
  CASE
    WHEN LOGSOURCETYPENAME(devicetype) LIKE '%CloudTrail%' THEN 'AWS'
    WHEN LOGSOURCETYPENAME(devicetype) LIKE '%Azure%' OR LOGSOURCETYPENAME(devicetype) LIKE '%Microsoft%' THEN 'Azure'
    WHEN LOGSOURCETYPENAME(devicetype) LIKE '%Google%' OR LOGSOURCETYPENAME(devicetype) LIKE '%GCP%' THEN 'GCP'
    ELSE 'Unknown'
  END AS cloud_provider,
  COUNT(*) AS SecretAccessCount,
  COUNT(DISTINCT QIDNAME(qid)) AS UniqueOperationTypes,
  DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS FirstAccess,
  DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS LastAccess
FROM events
WHERE
  (
    (
      LOGSOURCETYPENAME(devicetype) LIKE '%CloudTrail%'
      AND QIDNAME(qid) IN ('GetSecretValue', 'ListSecrets', 'DescribeSecret', 'BatchGetSecretValue')
    )
    OR (
      (LOGSOURCETYPENAME(devicetype) LIKE '%Azure%' OR LOGSOURCETYPENAME(devicetype) LIKE '%Microsoft%')
      AND (
        LOWER(QIDNAME(qid)) LIKE '%secretget%'
        OR LOWER(QIDNAME(qid)) LIKE '%keyvault%'
        OR LOWER(QIDNAME(qid)) LIKE '%secretlist%'
      )
    )
    OR (
      (LOGSOURCETYPENAME(devicetype) LIKE '%Google%' OR LOGSOURCETYPENAME(devicetype) LIKE '%GCP%')
      AND (
        QIDNAME(qid) LIKE '%AccessSecretVersion%'
        OR QIDNAME(qid) LIKE '%ListSecrets%'
      )
    )
  )
GROUP BY username, sourceip, cloud_provider
HAVING COUNT(*) > 10
ORDER BY SecretAccessCount DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Amazon AWS CloudTrail log source type in QRadar Microsoft Azure Active Directory / Activity Logs log source type in QRadar Google Cloud Platform Audit log source type in QRadar

Required Tables

events

False Positives

Cloud infrastructure monitoring and CSPM agents (Datadog, Orca, Wiz) that periodically enumerate secrets metadata across all vaults for inventory and misconfiguration scanning — identifiable by consistent scheduling and dedicated service account usernames
DevOps toolchains using shared service accounts to resolve secrets during large-scale deployment pipelines spanning dozens of microservices — count spikes correlated with deployment pipeline timing
Secrets management middleware with caching disabled (AWS SDK without TTL, HashiCorp Vault Agent in legacy mode) that fetches the same secret on every application request — high frequency from a static IP with a single secret name pattern

Sumo Logic CSE

sql

(_sourceCategory=aws/cloudtrail OR _sourceCategory=azure/audit OR _sourceCategory=gcp/audit) earliest=-24h
| json auto
| where eventName in ("GetSecretValue","ListSecrets","DescribeSecret","BatchGetSecretValue")
  OR operationName matches "*KeyVault*Secret*"
  OR methodName matches "*AccessSecretVersion*"
| if (eventName in ("GetSecretValue","ListSecrets","DescribeSecret","BatchGetSecretValue"), "AWS",
    if (operationName matches "*KeyVault*", "Azure", "GCP")) as cloud_provider
| count(*) as SecretAccessCount, count_distinct(requestParameters_secretId) as UniqueSecrets
    by userIdentity_arn, sourceIPAddress, cloud_provider
| where SecretAccessCount > 10 or UniqueSecrets > 5
| sort by SecretAccessCount desc

high severity medium confidence

Data Sources

AWS CloudTrail logs under _sourceCategory=aws/cloudtrail Azure Audit Logs under _sourceCategory=azure/audit GCP Cloud Audit Logs under _sourceCategory=gcp/audit

Required Tables

_sourceCategory: aws/cloudtrail _sourceCategory: azure/audit _sourceCategory: gcp/audit

False Positives

Centralised secrets-proxy sidecars or vault agent deployments that retrieve credentials on behalf of many downstream containers, producing high per-identity counts from a narrow set of cluster node IPs
Cloud security posture management platforms performing periodic full-environment enumeration of secrets vault contents for tagging compliance or orphaned-secret detection
Developer workstations running integration test suites against a shared staging vault that seeds and reads a large number of ephemeral test secrets in rapid succession

Google Chronicle / SecOps

yaral

rule t1555_006_cloud_secrets_excessive_access {
  meta:
    author = "Detection Engineering"
    description = "Detects excessive access to cloud secrets management APIs across AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager within a one-hour window, consistent with bulk credential harvesting by threat actors including HAFNIUM, Storm-0501, and Scattered Spider."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1555.006"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1555/006/"
    created = "2025-01-01"
    version = "1.0"

  events:
    (
      (
        $e.metadata.vendor_name = "Amazon Web Services" and
        $e.metadata.product_event_type in (
          "GetSecretValue",
          "ListSecrets",
          "DescribeSecret",
          "BatchGetSecretValue"
        )
      ) or
      (
        $e.metadata.vendor_name = "Microsoft Azure" and
        $e.metadata.product_event_type in (
          "SecretGet",
          "SecretList",
          "VaultGet"
        )
      ) or
      (
        $e.metadata.vendor_name = "Google Cloud Platform" and
        re.regex(
          $e.metadata.product_event_type,
          `google\.cloud\.secretmanager\.v1\.SecretManagerService\.(AccessSecretVersion|ListSecrets)`
        )
      )
    )
    $user = $e.principal.user.userid
    $ip = $e.principal.ip

  match:
    $user, $ip over 1h

  condition:
    #e > 10
}

high severity medium confidence

Data Sources

AWS CloudTrail ingested into Chronicle (vendor_name: Amazon Web Services) Azure Monitor Activity Logs ingested into Chronicle (vendor_name: Microsoft Azure) GCP Cloud Audit Logs via native Chronicle integration (vendor_name: Google Cloud Platform)

Required Tables

Chronicle UDM event store (cloud audit log feed)

False Positives

Kubernetes secret-sync operators (External Secrets Operator, Secrets Store CSI Driver) reconciling a large number of Kubernetes secrets from cloud vaults during cluster bootstrap or rapid pod autoscaling events — these identities have predictable naming conventions and cluster source IPs
Multi-cloud observability and APM platforms authenticating to multiple secrets stores at startup to retrieve instrumentation credentials, producing a burst of access events from a single service account during deployment windows
Authorised penetration testing or red team exercises operating within scope against the organisation's cloud environment — cross-reference principal.user.userid against approved testing accounts and change management records before escalating

CrowdStrike LogScale (CQL)

cql

#repo=cloud_audit
(
  EventName in ["GetSecretValue", "ListSecrets", "DescribeSecret", "BatchGetSecretValue"]
  OR operationName = /KeyVault.*Secret|SecretGet|SecretList/i
  OR protoPayload.methodName = /AccessSecretVersion|SecretManagerService.*ListSecrets/
)
| cloud_provider := case {
    test(EventName) | "AWS";
    test(operationName) | "Azure";
    * | "GCP"
  }
| identity := coalesce(
    userIdentity.arn,
    claims.upn,
    protoPayload.authenticationInfo.principalEmail,
    "unknown"
  )
| source_ip := coalesce(
    sourceIPAddress,
    callerIpAddress,
    protoPayload.requestMetadata.callerIp,
    "unknown"
  )
| secret_name := coalesce(
    requestParameters.secretId,
    resourceName,
    properties.id,
    "unknown"
  )
| groupBy(
    [identity, source_ip, cloud_provider],
    function=[
      count(as=SecretAccessCount),
      count(secret_name, distinct=true, as=UniqueSecrets),
      min(@timestamp, as=FirstAccess),
      max(@timestamp, as=LastAccess)
    ]
  )
| where SecretAccessCount > 10 OR UniqueSecrets > 5
| sort(SecretAccessCount, order=desc)

high severity medium confidence

Data Sources

AWS CloudTrail logs ingested into CrowdStrike LogScale cloud_audit repository Azure Monitor / Activity Logs ingested into CrowdStrike LogScale cloud_audit repository GCP Cloud Audit Logs ingested into CrowdStrike LogScale cloud_audit repository

Required Tables

cloud_audit (LogScale repository)

False Positives

Distributed batch processing jobs that resolve fresh database credentials from Secrets Manager at the start of each task across a large compute cluster — generates high per-identity counts during peak job execution correlated with job scheduler telemetry
Cloud cost optimisation and asset inventory platforms (CloudHealth, Apptio Cloudability, Turbot) enumerating vault contents as part of resource tagging or compliance reporting workflows — identifiable by known vendor IP ranges and service account naming
Blue-green or canary deployment strategies where both old and new application versions simultaneously fetch secrets during the traffic-shifting window, transiently doubling normal access rates from the same identity for the duration of the cutover

Cloud Secrets Management Stores

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections