Elastic Security Detection Rules

Multiple Cloud Secrets Accessed by Source Address

Last updated 4 days ago on 2025-12-01
Created 4 days ago on 2025-12-01

About

This rule detects authenticated sessions accessing secret stores across multiple cloud providers from the same source address within a short period of time. Adversaries with access to compromised credentials or session tokens may attempt to retrieve secrets from services such as AWS Secrets Manager, Google Secret Manager, or Azure Key Vault in rapid succession to expand their access or exfiltrate sensitive information.
Tags
Domain: CloudDomain: IAMDomain: StorageData Source: AWSData Source: Amazon Web ServicesData Source: AWS Secrets ManagerData Source: AzureData Source: Azure Activity LogsData Source: GCPData Source: Google Cloud PlatformTactic: Credential AccessLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

Credentials from Password Stores (T1555)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

aws(opens in a new tab or window)

gcp(opens in a new tab or window)

azure(opens in a new tab or window)

Query
FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-* METADATA _id, _version, _index
| WHERE 
  ( 
    /* AWS Secrets Manager */ 
    (event.dataset == "aws.cloudtrail" AND event.provider == "secretsmanager.amazonaws.com" AND event.action == "GetSecretValue") OR 
    // Azure Key Vault (platform logs)
    (event.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or 
    /* Azure Key Vault (activity logs) */ 
    (event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name IN ("MICROSOFT.KEYVAULT/VAULTS/SECRETS/LIST", "MICROSOFT.KEYVAULT/VAULTS/SECRETS/GET")) OR 
    /* Azure Managed HSM secret */ 
    (event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name LIKE "MICROSOFT.KEYVAULT/managedHSM/keys/*") OR 
    /* Google Secret Manager */ 
    (event.dataset IN ("googlecloud.audit", "gcp.audit") AND 
     event.action IN ("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest"))
   ) AND source.ip IS NOT NULL
// Unified user identity (raw)
| EVAL Esql_priv.user_id =
    COALESCE(
      client.user.id,
      aws.cloudtrail.user_identity.arn,
      azure.platformlogs.identity.claim.upn,
      NULL
    )
// Cloud vendor label based on dataset
| EVAL Esql.cloud_vendor = CASE(
    event.dataset == "aws.cloudtrail", "aws",
    event.dataset IN ("azure.platformlogs","azure.activitylogs"), "azure",
    event.dataset IN ("googlecloud.audit","gcp.audit"), "gcp",
    "unknown"
  )
// Vendor+tenant label, e.g. aws:123456789012, azure:tenant, gcp:project
| EVAL Esql.tenant_label = CASE(
    Esql.cloud_vendor == "aws", CONCAT("aws:", cloud.account.id),
    Esql.cloud_vendor == "azure", CONCAT("azure:", cloud.account.id),
    Esql.cloud_vendor == "gcp", CONCAT("gcp:", cloud.account.id),
    NULL
  )
| STATS
    // Core counts
    Esql.events_count = COUNT(*),
    Esql.vendor_count_distinct = COUNT_DISTINCT(Esql.cloud_vendor),
    // Action & data source context
    Esql.event_action_values = VALUES(event.action),
    Esql.data_source_values = VALUES(event.dataset),
    // Cloud vendor + tenant context
    Esql.cloud_vendor_values = VALUES(Esql.cloud_vendor),
    Esql.tenant_label_values = VALUES(Esql.tenant_label),
    // Hyperscaler-specific IDs
    Esql.aws_account_id_values = VALUES(CASE(Esql.cloud_vendor == "aws", cloud.account.id, NULL)),
    Esql.azure_tenant_id_values = VALUES(CASE(Esql.cloud_vendor == "azure", cloud.account.id, NULL)),
    Esql.gcp_project_id_values = VALUES(CASE(Esql.cloud_vendor == "gcp", cloud.account.id, NULL)),
    // Generic cloud metadata
    Esql.cloud_region_values = VALUES(cloud.region),
    Esql.cloud_service_name_values = VALUES(cloud.service.name),
    // Identity (privileged)
    Esql_priv.user_values = VALUES(Esql_priv.user_id),
    Esql_priv.client_user_id_values = VALUES(client.user.id),
    Esql_priv.aws_user_identity_arn_values = VALUES(aws.cloudtrail.user_identity.arn),
    Esql_priv.azure_upn_values = VALUES(azure.platformlogs.identity.claim.upn),
    // Namespace values
    Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
  BY source.ip
// Require multi-vendor cred-access from same source IP
| WHERE Esql.vendor_count_distinct >= 2
| SORT Esql.events_count DESC
| KEEP Esql.*, Esql_priv.*, source.ip

Install detection rules in Elastic Security

Detect Multiple Cloud Secrets Accessed by Source Address in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).