-
Multiple Cloud Secrets Accessed by Source Address
Dec 4, 2025 · Domain: Cloud Domain: IAM Domain: Storage Data Source: AWS Data Source: Amazon Web Services Data Source: AWS Secrets Manager Data Source: Azure Data Source: Azure Activity Logs Data Source: GCP Data Source: Google Cloud Platform Tactic: Credential Access Resources: Investigation Guide ·This rule detects authenticated sessions accessing secret stores across multiple cloud providers from the same source address within a short period of time. Adversaries with access to compromised credentials or session tokens may attempt to retrieve secrets from services such as AWS Secrets Manager, Google Secret Manager, or Azure Key Vault in rapid succession to expand their access or exfiltrate sensitive information.
Read More