'Summary This alert gets triggered when a secret manager project was deleted by a user. Secret Manager project lets you store, manage, and secure access to your application secrets. Impact Within a secret project, various confidential values about applications, developers, APIs, token keys, and more are stored. Deleting the entire project will result in the automatic deletion of all secrets and their respective versions. Such an occurrence could significantly impact application development and access, as the absence of these secrets would render the credentials and access keys necessary for application access inaccessible. Mitigation Ensure that permissions are limited to only application administrators and the DevOps team. Additionally, reach out to the user to obtain business approval for deleting the secret project. If the activity is deemed legitimate, close the case. Otherwise, escalate the matter to the engineering team for further investigation. Analyze the business impact and secrets stored in the project, and revert the deletion if necessary. If no backups exist, create new secrets and update the affected application values accordingly. MITRE Tactic: TA0040 MITRE Technique: T1485'

'Summary This alert gets triggered when multiple secret versions are destroyed by a user. Note: In this alert, the threshold is set to more than 5 in 15 minutes. Feel free to modify as per your corp. policy. Impact Once versions are destroyed, they cannot be restored, resulting in permanent loss of access to the secret values. If these values pertain to production, the associated service or values will remain inaccessible until the secrets are securely stored elsewhere as part of a backup procedure. Mitigation Ensure that permissions are limited to authorized users exclusively. In such situations, promptly contact the user and request a business justification for destroying the versions. If the justification is valid, conclude the investigation. Otherwise, consult the engineering team to verify if there is a copy of the secret values stored as part of a Business Continuity Plan (BCP) or Disaster Recovery (DR) plan. If not, establish a policy to ensure backup of production secrets is implemented. MITRE Tactic: TA0040 MITRE Technique: T1485'

'Summary This alert gets triggered when a secret version was disabled by the user. Kindly note a disabled secret version can be reverted to enable status. Note: In this alert, the threshold is set to more than 5 in 15 minutes. Feel free to modify as per your corp. policy. Impact Secret versions serve as a measure of the integrity of the stored secrets within the project. Disabling multiple versions could result in the loss of secret values and access to the associated service, preventing users from viewing or logging into it. Mitigation Ensure that permissions are limited to authorized users exclusively. In such instances, promptly contact the user and request a business justification for disabling the secret version. If the justification is valid, conclude the investigation; otherwise, promptly re-enable the secret version to mitigate any potential business impact. MITRE Tactic: TA0040 MITRE Technique: T1485'

'Summary This alert gets triggered when a new user was added to a secret project. Note: To get the anomaly alerts, kindly whitelist the corporate domain or emails to receive an alert only for unknown users. Impact This indicates a situation where privilege is being elevated without authorization, potentially granting access to unidentified users. This activity could allow unauthorized viewing, disabling, or destruction of confidential information, significantly impacting business operations and access controls. Mitigation Ensure that permissions are limited to authorized users exclusively. In the event of any such occurrences, promptly contact the user to request business approval for access. If the request is legitimate, conclude the investigation; otherwise, remove the user and verify that no significant alterations were made by unauthorized individuals. MITRE Tactic: TA0004 MITRE Technique: T1098'

'Summary This alert gets triggered when there are no logs from the Secret Manager in the last 12 hours. Note: Please select the related application and subsystems before enabling it. Impact This absence of logs heightens the risk of overlooking suspicious connections or irregular secrets management, leaving room for undetected incidents that could impact system integrity. Any secrets unauthorized access or destroyed activities may go undetected and further this could lead the secret values to unauthorized users. Mitigation Please conduct a thorough examination of the logs and consult with the engineering team to verify any findings. If there is a lack of activity reflected in the logs, it is advisable to close the incident. However, if an issue is identified, take the necessary steps to rectify it promptly, ensuring that logging functionality is restored and data flows seamlessly to the designated destination. MITRE Tactic: TA0005 MITRE Technique: T1562'