Update credential_access_multi_could_secrets_via_api.toml

Samirbous · web-flow · commit 23e103b22070 · 2025-12-04T14:38:52.000Z
diff --git a/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml b/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml
@@ -114,22 +114,16 @@ FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*
   ( 
     /* AWS Secrets Manager */ 
     (event.dataset == "aws.cloudtrail" AND event.provider == "secretsmanager.amazonaws.com" AND event.action == "GetSecretValue") OR 
-
     // Azure Key Vault (platform logs)
     (event.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or 
-
     /* Azure Key Vault (activity logs) */ 
     (event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name IN ("MICROSOFT.KEYVAULT/VAULTS/SECRETS/LIST", "MICROSOFT.KEYVAULT/VAULTS/SECRETS/GET")) OR 
-
     /* Azure Managed HSM secret */ 
     (event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name LIKE "MICROSOFT.KEYVAULT/managedHSM/keys/*") OR 
-
     /* Google Secret Manager */ 
     (event.dataset IN ("googlecloud.audit", "gcp.audit") AND 
      event.action IN ("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest"))
-
    ) AND source.ip IS NOT NULL
-
 // Unified user identity (raw)
 | EVAL Esql_priv.user_id =
     COALESCE(
@@ -138,52 +132,45 @@ FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*
       azure.platformlogs.identity.claim.upn,
       NULL
     )
-
 // Cloud vendor label based on dataset
 | EVAL Esql.cloud_vendor = CASE(
     event.dataset == "aws.cloudtrail", "aws",
     event.dataset IN ("azure.platformlogs","azure.activitylogs"), "azure",
     event.dataset IN ("googlecloud.audit","gcp.audit"), "gcp",
     "unknown"
   )
-
 // Vendor+tenant label, e.g. aws:123456789012, azure:tenant, gcp:project
 | EVAL Esql.tenant_label = CASE(
     Esql.cloud_vendor == "aws", CONCAT("aws:", cloud.account.id),
     Esql.cloud_vendor == "azure", CONCAT("azure:", cloud.account.id),
     Esql.cloud_vendor == "gcp", CONCAT("gcp:", cloud.account.id),
     NULL
   )
-
 | STATS
     // Core counts
     Esql.events_count = COUNT(*),
     Esql.vendor_count_distinct = COUNT_DISTINCT(Esql.cloud_vendor),
-
     // Action & data source context
     Esql.event_action_values = VALUES(event.action),
     Esql.data_source_values = VALUES(event.dataset),
-
     // Cloud vendor + tenant context
     Esql.cloud_vendor_values = VALUES(Esql.cloud_vendor),
     Esql.tenant_label_values = VALUES(Esql.tenant_label),
-
     // Hyperscaler-specific IDs
     Esql.aws_account_id_values = VALUES(CASE(Esql.cloud_vendor == "aws", cloud.account.id, NULL)),
     Esql.azure_tenant_id_values = VALUES(CASE(Esql.cloud_vendor == "azure", cloud.account.id, NULL)),
     Esql.gcp_project_id_values = VALUES(CASE(Esql.cloud_vendor == "gcp", cloud.account.id, NULL)),
-
     // Generic cloud metadata
     Esql.cloud_region_values = VALUES(cloud.region),
     Esql.cloud_service_name_values = VALUES(cloud.service.name),
-
     // Identity (privileged)
     Esql_priv.user_values = VALUES(Esql_priv.user_id),
     Esql_priv.client_user_id_values = VALUES(client.user.id),
     Esql_priv.aws_user_identity_arn_values = VALUES(aws.cloudtrail.user_identity.arn),
-    Esql_priv.azure_upn_values = VALUES(azure.platformlogs.identity.claim.upn)
+    Esql_priv.azure_upn_values = VALUES(azure.platformlogs.identity.claim.upn),
+    // Namespace values
+    Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
   BY source.ip
-
 // Require multi-vendor cred-access from same source IP
 | WHERE Esql.vendor_count_distinct >= 2
 | SORT Esql.events_count DESC
