KQL Search

Query Details

HomeAI ToolsDevice Query

CVE 2021 44228 2

Query

//Parse all request uris over the last 30 days and create a new column from the string between / and ://
//Example - from /${jndi:ldap:// we parse ${jndi:ldap: to a new column called HeaderUri

//Data connector required for this query - Azure Diagnostics (Application Gateways)

//Look up the last 3 days of data to find any new HeaderUri strings between / and :// not seen for the previous 30 days
AzureDiagnostics
| where TimeGenerated > ago(30d) and TimeGenerated < ago(3d)
| where ResourceType == "APPLICATIONGATEWAYS"
| project TimeGenerated, host_s, originalRequestUriWithArgs_s, clientIP_s
| parse-where originalRequestUriWithArgs_s with * '/' HeaderUri '://' *
| distinct host_s, HeaderUri
| join kind=rightanti (
    AzureDiagnostics
    | where TimeGenerated > ago(3d)
    | where ResourceType == "APPLICATIONGATEWAYS"
    | project TimeGenerated, host_s, originalRequestUriWithArgs_s, clientIP_s
    | parse-where originalRequestUriWithArgs_s with * '/' HeaderUri '://' *
    | project TimeGenerated, originalRequestUriWithArgs_s, host_s, HeaderUri)
    on host_s, HeaderUri
| parse-where originalRequestUriWithArgs_s with * '://' MaliciousHost '/' *
| project TimeGenerated, originalRequestUriWithArgs_s, HeaderUri, MaliciousHost, Target=host_s

Explanation

This query is looking at data from the Azure Diagnostics data connector for Application Gateways. It is parsing the request URIs and creating a new column called HeaderUri from the string between "/" and "://".

The query then looks at the last 30 days of data and finds any new HeaderUri strings that were not seen in the previous 30 days. It selects the TimeGenerated, host_s, originalRequestUriWithArgs_s, and clientIP_s columns.

Next, it performs a distinct operation on the host_s and HeaderUri columns.

Then, it performs a right anti-join with the data from the last 3 days to find any new HeaderUri strings. It selects the TimeGenerated, originalRequestUriWithArgs_s, host_s, and HeaderUri columns.

Finally, it filters out any rows where the originalRequestUriWithArgs_s contains a malicious host and projects the TimeGenerated, originalRequestUriWithArgs_s, HeaderUri, MaliciousHost, and Target columns.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AzureDiagnostics

Keywords

AzureDiagnostics,TimeGenerated,host_s,originalRequestUriWithArgs_s,clientIP_s,ResourceType,HeaderUri,MaliciousHost,Target

Operators

whereagoandorwhereprojectparse-wherewithdistinctjoinkind=rightantionMaliciousHostTarget

Actions