Rules: Trufflehog AWS Credential Verification Detected
Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Credential Access |
| Apply Risk to Entities | srcDevice_ip |
| Signal Name | Trufflehog AWS Credential Verification Detected |
| Summary Expression | Trufflehog AWS Credential Verification Detected for {{user_username}} from IP: {{srcDevice_ip}} |
| Score/Severity | Static: 3 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0006, _mitreAttackTechnique:T1552 |
| Origin | Field |
|---|---|
| Normalized Schema | action |
| Normalized Schema | http_userAgent |
| Normalized Schema | metadata_product |
| Normalized Schema | metadata_vendor |
| Normalized Schema | srcDevice_ip |