KQL Search

Query Details

HomeAI ToolsDevice Query

CVE 2024 3094 Internet Facing Devices

Query

# CVE-2024-3094 Internet Facing Devices

### Description

Following recently surfaced news about CVE-2024-3094 vulnerability, the following query can help hunt devices identified with the relevant CVE and are internet facing.

### References
- https://nvd.nist.gov/vuln/detail/CVE-2024-3094
- https://github.com/advisories/GHSA-rxwq-x6h5-x525
- https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

### Microsoft Defender XDR & Microsoft Sentinel
```
// Define CVE-2024-3094 as CVEID
let xzcvedevices = DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-3094"
| project DeviceId;
xzcvedevices
| join (DeviceInfo
| where IsInternetFacing == "1" // 1 for internet facing devices, 0 for non-internet facing devices
| project DeviceId, DeviceName, OSBuild, OSVersion, OSDistribution, OSVersionInfo
) on DeviceId
```

### Source
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud

### Versioning
| Version       | Date          | Comments                          |
| ------------- |---------------| ----------------------------------|
| 1.0           | 30/04/2024    | Initial publish                   |

Explanation

This query looks for devices that are vulnerable to CVE-2024-3094 and are internet facing. It retrieves information about these devices such as DeviceName, OSBuild, OSVersion, OSDistribution, and OSVersionInfo.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: March 30, 2024

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceInfo

Keywords

CveId,DeviceTvmSoftwareVulnerabilities,DeviceId,DeviceInfo,IsInternetFacing,DeviceName,OSBuild,OSVersion,OSDistribution,OSVersionInfo

Operators

whereprojectjoinon==|&&

Actions