TruffleHog user agent observed in AWS
Detect when a TruffleHog user agent is seen in AWS CloudTrail management plane logs.
This rule monitors AWS CloudTrail management plane logs for the GetCallerIdentity
API call with the user agent TruffleHog
. TruffleHog is a tool designed to scan source code repositories for leaked secrets. There is a credential verification feature to verify if the credential is still active. For AWS it performs a GetCallerIdentity
API call. While this tool can be used legitimately by teams to scan for leaked secrets internally, it may also be used by attackers to identify leaked credentials.
- Determine if your organization is using the TruffleHog tool to scan for secrets.
- If it is an internal tool, notify the relevant team so that the leaked key can be triaged appropriately.
- If the results of the triage indicate that this tool is not used by your organization, begin your company’s incident response process and an investigation.
- If appropriate, disable or rotate the affected credential.
- Investigate any actions taken by the identity
{{@userIdentity.arn}}
. - Work with the relevant teams to remove the key from any source code repositories.
- 10 November 2023 - updated severity of detection from
Low
to High