[Tuning] Multiple Cloud Secrets Accessed by Source Address (#5549)
* Update credential_access_multi_could_secrets_via_api.toml * Update credential_access_multi_could_secrets_via_api.toml * Update credential_access_multi_could_secrets_via_api.toml * Update credential_access_multi_could_secrets_via_api.toml
This commit is contained in:
Samirbous
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/12/01"
|
||||
integration = ["aws", "gcp", "azure"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/12/01"
|
||||
updated_date = "2026/01/12"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -109,17 +109,15 @@ timestamp_override = "event.ingested"
|
||||
type = "esql"
|
||||
|
||||
query = '''
|
||||
FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-* METADATA _id, _version, _index
|
||||
FROM logs-* METADATA _id, _version, _index
|
||||
| WHERE
|
||||
(
|
||||
/* AWS Secrets Manager */
|
||||
(event.dataset == "aws.cloudtrail" AND event.provider == "secretsmanager.amazonaws.com" AND event.action == "GetSecretValue") OR
|
||||
|
||||
// Azure Key Vault (platform logs)
|
||||
(event.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or
|
||||
/* Azure Key Vault (activity logs) */
|
||||
(event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name IN ("MICROSOFT.KEYVAULT/VAULTS/SECRETS/LIST", "MICROSOFT.KEYVAULT/VAULTS/SECRETS/GET")) OR
|
||||
/* Azure Managed HSM secret */
|
||||
(event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name LIKE "MICROSOFT.KEYVAULT/managedHSM/keys/*") OR
|
||||
|
||||
/* Google Secret Manager */
|
||||
(event.dataset IN ("googlecloud.audit", "gcp.audit") AND
|
||||
event.action IN ("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest"))
|
||||
@@ -129,13 +127,12 @@ FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*
|
||||
COALESCE(
|
||||
client.user.id,
|
||||
aws.cloudtrail.user_identity.arn,
|
||||
azure.platformlogs.identity.claim.upn,
|
||||
NULL
|
||||
)
|
||||
// Cloud vendor label based on dataset
|
||||
| EVAL Esql.cloud_vendor = CASE(
|
||||
event.dataset == "aws.cloudtrail", "aws",
|
||||
event.dataset IN ("azure.platformlogs","azure.activitylogs"), "azure",
|
||||
event.dataset == "azure.platformlogs", "azure",
|
||||
event.dataset IN ("googlecloud.audit","gcp.audit"), "gcp",
|
||||
"unknown"
|
||||
)
|
||||
@@ -167,7 +164,6 @@ FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*
|
||||
Esql_priv.user_values = VALUES(Esql_priv.user_id),
|
||||
Esql_priv.client_user_id_values = VALUES(client.user.id),
|
||||
Esql_priv.aws_user_identity_arn_values = VALUES(aws.cloudtrail.user_identity.arn),
|
||||
Esql_priv.azure_upn_values = VALUES(azure.platformlogs.identity.claim.upn),
|
||||
// Namespace values
|
||||
Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
|
||||
BY source.ip
|
||||
|
||||
Reference in New Issue
Block a user