Skip to content

Commit 646dac7

Browse files
SamirbousSamirbous
authored
Update credential_access_multi_could_secrets_via_api.toml
1 parent 7089a15 commit 646dac7

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -119,7 +119,7 @@ FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*
119119
(event.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or
120120
121121
/* Azure Key Vault (activity logs) */
122-
(event.dataset == "azure.activitylogs" AND (azure.activitylogs.operation_name LIKE "MICROSOFT.KEYVAULT/VAULTS/SECRETS/LIST" OR azure.activitylogs.operation_name LIKE "MICROSOFT.KEYVAULT/VAULTS/SECRETS/GET")) OR
122+
(event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name IN ("MICROSOFT.KEYVAULT/VAULTS/SECRETS/LIST", "MICROSOFT.KEYVAULT/VAULTS/SECRETS/GET")) OR
123123
124124
/* Azure Managed HSM secret */
125125
(event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name LIKE "MICROSOFT.KEYVAULT/managedHSM/keys/*") OR

0 commit comments

Comments
 (0)