CVE 2024 3393 DDOS Detection

// CVE-2024-3393 DDOS Detection // https://securityadvisories.paloaltonetworks.com/CVE-2024-3393 // https://thehackernews.com/2024/12/palo-alto-releases-patch-for-pan-os-dos.html let FixedVersion = dynamic(["11.2.3","11.1.5","10.2.8","10.2.10-h12","10.2.13-h2","10.1.14","10.1.14-h8"]); CommonSecurityLog | where DeviceVendor == "Palo Alto Networks" | where Computer != "" | where TimeGenerated > ago(1h) | summarize LastLogReceived=max(TimeGenerated) by Computer, DeviceVendor, DeviceVersion | project LastLogReceived, Computer, DeviceVendor, DeviceVersion | where LastLogReceived < ago(15m) | where not (tostring(DeviceVersion) has_any(FixedVersion))

Explanation

This KQL (Kusto Query Language) query is designed to detect potential Distributed Denial of Service (DDoS) vulnerabilities related to the CVE-2024-3393 in Palo Alto Networks devices. Here's a simplified breakdown of what the query does:

Fixed Versions List: It defines a list of software versions that have been patched to fix the vulnerability (CVE-2024-3393).
Data Source: The query pulls data from CommonSecurityLog, focusing on logs from devices made by "Palo Alto Networks".
Filter Criteria:
- It filters out logs where the Computer field is empty.
- It considers logs generated within the last hour.
Data Aggregation:
- It summarizes the data to find the most recent log (LastLogReceived) for each computer, along with the device vendor and version.
Further Filtering:
- It checks if the last log received from any device was more than 15 minutes ago, which could indicate a potential issue.
- It filters out devices that are running any of the patched versions listed in FixedVersion.

In essence, this query identifies Palo Alto Networks devices that have not sent logs in the last 15 minutes and are running software versions that have not been patched for the CVE-2024-3393 vulnerability, potentially indicating they are susceptible to a DDoS attack.

KQL Search

CVE 2024 3393 DDOS Detection

Query

Explanation

Details

Actions