Skip to content

Commit 7089a15

Browse files
SamirbousSamirbous
authored
Update credential_access_multi_could_secrets_via_api.toml
1 parent d04b2a3 commit 7089a15

File tree

1 file changed

+20
-29
lines changed

1 file changed

+20
-29
lines changed

rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Lines changed: 20 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -110,34 +110,25 @@ type = "esql"
110110

111111
query = '''
112112
FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-* METADATA _id, _version, _index
113-
| WHERE source.ip IS NOT NULL
114-
115-
// Normalize "secret access" across AWS, Azure, GCP
116-
| EVAL Esql.is_secret_access = CASE(
117-
// AWS Secrets Manager
118-
event.dataset == "aws.cloudtrail" AND
119-
event.provider == "secretsmanager.amazonaws.com" AND
120-
event.action IN ("GetSecretValue", "BatchGetSecretValue"), true,
113+
| WHERE
114+
(
115+
/* AWS Secrets Manager */
116+
(event.dataset == "aws.cloudtrail" AND event.provider == "secretsmanager.amazonaws.com" AND event.action IN ("GetSecretValue", "BatchGetSecretValue")) OR
121117
122118
// Azure Key Vault (platform logs)
123-
event.dataset == "azure.platformlogs" AND
124-
event.action IN ("SecretGet", "KeyGet"), true,
125-
126-
// Azure Managed HSM secret
127-
event.dataset == "azure.activitylogs" AND
128-
event.action LIKE "MICROSOFT.KEYVAULT/managedHSM/keys/*", true,
129-
130-
// Google Secret Manager
131-
event.dataset IN ("googlecloud.audit", "gcp.audit") AND
132-
event.action IN (
133-
"google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest",
134-
"google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion"
135-
), true,
136-
137-
// default
138-
false
139-
)
140-
| WHERE Esql.is_secret_access
119+
(event.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or
120+
121+
/* Azure Key Vault (activity logs) */
122+
(event.dataset == "azure.activitylogs" AND (azure.activitylogs.operation_name LIKE "MICROSOFT.KEYVAULT/VAULTS/SECRETS/LIST" OR azure.activitylogs.operation_name LIKE "MICROSOFT.KEYVAULT/VAULTS/SECRETS/GET")) OR
123+
124+
/* Azure Managed HSM secret */
125+
(event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name LIKE "MICROSOFT.KEYVAULT/managedHSM/keys/*") OR
126+
127+
/* Google Secret Manager */
128+
(event.dataset IN ("googlecloud.audit", "gcp.audit") AND
129+
event.action IN ("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest"))
130+
131+
) AND source.ip IS NOT NULL
141132
142133
// Unified user identity (raw)
143134
| EVAL Esql_priv.user_id =
@@ -167,7 +158,7 @@ FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*
167158
| STATS
168159
// Core counts
169160
Esql.events_count = COUNT(*),
170-
Esql.dataset_count_distinct = COUNT_DISTINCT(event.dataset),
161+
Esql.vendor_count_distinct = COUNT_DISTINCT(Esql.cloud_vendor),
171162
172163
// Action & data source context
173164
Esql.event_action_values = VALUES(event.action),
@@ -193,8 +184,8 @@ FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*
193184
Esql_priv.azure_upn_values = VALUES(azure.platformlogs.identity.claim.upn)
194185
BY source.ip
195186
196-
// Require multi-dataset behavior from same source IP
197-
| WHERE Esql.dataset_count_distinct >= 2
187+
// Require multi-vendor cred-access from same source IP
188+
| WHERE Esql.vendor_count_distinct >= 2
198189
| SORT Esql.events_count DESC
199190
| KEEP Esql.*, Esql_priv.*, source.ip
200191
'''

0 commit comments

Comments
 (0)