Skip to content

Commit 29bd7db

Browse files
SamirbousSamirbous
authored
Update credential_access_multi_could_secrets_via_api.toml
1 parent 646dac7 commit 29bd7db

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ to retrieve secrets from services such as AWS Secrets Manager, Google Secret Man
1313
succession to expand their access or exfiltrate sensitive information.
1414
"""
1515
from = "now-9m"
16-
interval = "1m"
16+
interval = "5m"
1717
language = "esql"
1818
license = "Elastic License v2"
1919
name = "Multiple Cloud Secrets Accessed by Source Address"
@@ -113,7 +113,7 @@ FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*
113113
| WHERE
114114
(
115115
/* AWS Secrets Manager */
116-
(event.dataset == "aws.cloudtrail" AND event.provider == "secretsmanager.amazonaws.com" AND event.action IN ("GetSecretValue", "BatchGetSecretValue")) OR
116+
(event.dataset == "aws.cloudtrail" AND event.provider == "secretsmanager.amazonaws.com" AND event.action == "GetSecretValue") OR
117117
118118
// Azure Key Vault (platform logs)
119119
(event.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or

0 commit comments

Comments
 (0)