Skip to content

Commit fdcfac9

Browse files
SamirbousSamirbous
committed
Update credential_access_multi_could_secrets_via_api.toml
1 parent 1666121 commit fdcfac9

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -132,12 +132,13 @@ FROM logs-* metadata _id, _version, _index
132132
)
133133
AND source.ip IS NOT NULL
134134
| STATS
135+
Esql.events_count = COUNT(*),
135136
Esql.dc_dataset = COUNT_DISTINCT(event.dataset),
136137
Esql.event_action_values = VALUES(event.action),
137138
Esql.users = VALUES(user.name)
138139
BY source.ip
139140
| WHERE Esql.dc_dataset >= 2
140-
| Keep source.ip, Esql.dc_dataset, Esql.users
141+
| Keep source.ip, Esql.dc_dataset, Esql.users, Esql.events_count
141142
'''
142143

143144

0 commit comments

Comments
 (0)