Skip to content

Commit d04b2a3

Browse files
SamirbousSamirbous
authored
Update credential_access_multi_could_secrets_via_api.toml
1 parent 4cb7baa commit d04b2a3

File tree

1 file changed

+23
-34
lines changed

1 file changed

+23
-34
lines changed

rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Lines changed: 23 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -125,7 +125,7 @@ FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*
125125
126126
// Azure Managed HSM secret
127127
event.dataset == "azure.activitylogs" AND
128-
event.action LIKE "MICROSOFT.KEYVAULT/managedHSM/keys/%", true,
128+
event.action LIKE "MICROSOFT.KEYVAULT/managedHSM/keys/*", true,
129129
130130
// Google Secret Manager
131131
event.dataset IN ("googlecloud.audit", "gcp.audit") AND
@@ -150,64 +150,53 @@ FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*
150150
151151
// Cloud vendor label based on dataset
152152
| EVAL Esql.cloud_vendor = CASE(
153-
event.dataset == "aws.cloudtrail", "aws",
153+
event.dataset == "aws.cloudtrail", "aws",
154154
event.dataset IN ("azure.platformlogs","azure.activitylogs"), "azure",
155-
event.dataset IN ("googlecloud.audit","gcp.audit"), "gcp",
155+
event.dataset IN ("googlecloud.audit","gcp.audit"), "gcp",
156156
"unknown"
157157
)
158158
159159
// Vendor+tenant label, e.g. aws:123456789012, azure:tenant, gcp:project
160160
| EVAL Esql.tenant_label = CASE(
161-
Esql.cloud_vendor == "aws", CONCAT("aws:", cloud.account.id),
161+
Esql.cloud_vendor == "aws", CONCAT("aws:", cloud.account.id),
162162
Esql.cloud_vendor == "azure", CONCAT("azure:", cloud.account.id),
163-
Esql.cloud_vendor == "gcp", CONCAT("gcp:", cloud.account.id),
163+
Esql.cloud_vendor == "gcp", CONCAT("gcp:", cloud.account.id),
164164
NULL
165165
)
166166
167167
| STATS
168168
// Core counts
169-
Esql.events_count = COUNT(*),
170-
Esql.dataset_count_distinct = COUNT_DISTINCT(event.dataset),
169+
Esql.events_count = COUNT(*),
170+
Esql.dataset_count_distinct = COUNT_DISTINCT(event.dataset),
171171
172172
// Action & data source context
173-
Esql.event_action_values = VALUES(event.action),
174-
Esql.data_source_values = VALUES(event.dataset),
173+
Esql.event_action_values = VALUES(event.action),
174+
Esql.data_source_values = VALUES(event.dataset),
175175
176176
// Cloud vendor + tenant context
177-
Esql.cloud_vendor_values = VALUES(Esql.cloud_vendor),
178-
Esql.tenant_label_values = VALUES(Esql.tenant_label),
177+
Esql.cloud_vendor_values = VALUES(Esql.cloud_vendor),
178+
Esql.tenant_label_values = VALUES(Esql.tenant_label),
179179
180180
// Hyperscaler-specific IDs
181-
Esql.aws_account_id_values =
182-
VALUES(CASE(Esql.cloud_vendor == "aws", cloud.account.id, NULL)),
183-
Esql.azure_tenant_id_values =
184-
VALUES(CASE(Esql.cloud_vendor == "azure", cloud.account.id, NULL)),
185-
Esql.gcp_project_id_values =
186-
VALUES(CASE(Esql.cloud_vendor == "gcp", cloud.account.id, NULL)),
181+
Esql.aws_account_id_values = VALUES(CASE(Esql.cloud_vendor == "aws", cloud.account.id, NULL)),
182+
Esql.azure_tenant_id_values = VALUES(CASE(Esql.cloud_vendor == "azure", cloud.account.id, NULL)),
183+
Esql.gcp_project_id_values = VALUES(CASE(Esql.cloud_vendor == "gcp", cloud.account.id, NULL)),
187184
188185
// Generic cloud metadata
189-
Esql.cloud_region_values = VALUES(cloud.region),
190-
Esql.cloud_service_name_values =
191-
VALUES(cloud.service.name),
192-
193-
// Network context
194-
Esql.source_ip_values = VALUES(source.ip),
186+
Esql.cloud_region_values = VALUES(cloud.region),
187+
Esql.cloud_service_name_values = VALUES(cloud.service.name),
195188
196189
// Identity (privileged)
197-
Esql_priv.user_values =
198-
VALUES(Esql_priv.user_id),
199-
Esql_priv.client_user_id_values =
200-
VALUES(client.user.id),
201-
Esql_priv.aws_user_identity_arn_values =
202-
VALUES(aws.cloudtrail.user_identity.arn),
203-
Esql_priv.azure_upn_values =
204-
VALUES(azure.platformlogs.identity.claim.upn)
190+
Esql_priv.user_values = VALUES(Esql_priv.user_id),
191+
Esql_priv.client_user_id_values = VALUES(client.user.id),
192+
Esql_priv.aws_user_identity_arn_values = VALUES(aws.cloudtrail.user_identity.arn),
193+
Esql_priv.azure_upn_values = VALUES(azure.platformlogs.identity.claim.upn)
205194
BY source.ip
206195
207-
// Require multi-dataset (cross-source) behavior from same source IP
196+
// Require multi-dataset behavior from same source IP
208197
| WHERE Esql.dataset_count_distinct >= 2
209198
| SORT Esql.events_count DESC
210-
| KEEP Esql.*, Esql_priv.*
199+
| KEEP Esql.*, Esql_priv.*, source.ip
211200
'''
212201

213202

@@ -228,4 +217,4 @@ reference = "https://attack.mitre.org/techniques/T1555/006/"
228217
[rule.threat.tactic]
229218
id = "TA0006"
230219
name = "Credential Access"
231-
reference = "https://attack.mitre.org/tactics/TA0006/"
220+
reference = "https://attack.mitre.org/tactics/TA0006/"

0 commit comments

Comments
 (0)