KQL Search

Query Details

HomeAI ToolsDevice Query

Critical Vulnerability In Elastic Kibana

Query

// Critical Vulnerability in Elastic Kibana
// https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-022

// Locate internet facing Elastic Kibana with upmost priority

let InternetFacing =
DeviceInfo
| where IsInternetFacing == true and isnotempty(PublicIP)
| distinct DeviceId;
DeviceProcessEvents
| where TimeGenerated > ago(90d)
| where InitiatingProcessCommandLine has "kibana"
| summarize arg_max(TimeGenerated, *) by DeviceId
| where DeviceId has_any(InternetFacing)

Explanation

This query is designed to identify internet-facing devices running Elastic Kibana, which is critical due to a vulnerability alert. Here's a simplified breakdown of what the query does:

  1. Identify Internet-Facing Devices:

    • It first creates a list of devices that are exposed to the internet. This is done by checking if the device has a public IP address and is marked as internet-facing in the DeviceInfo table.
    • The query extracts distinct DeviceIds of such devices.

  2. Filter Kibana Processes:

    • It then looks at the DeviceProcessEvents table for processes that have been initiated with a command line containing "kibana" within the last 90 days.
    • It summarizes these events to get the most recent (arg_max) event for each DeviceId.

  3. Match with Internet-Facing Devices:

    • Finally, it filters these Kibana-related processes to only include those that are running on the previously identified internet-facing devices.

In essence, the query helps prioritize the identification of internet-facing devices running Elastic Kibana, which might be vulnerable, so that they can be addressed with urgency.

Details

Steven Lim profile picture

Steven Lim

Released: March 10, 2025

Tables

DeviceInfoDeviceProcessEvents

Keywords

DeviceInfoDeviceProcessEventsDeviceIdPublicIPTimeGeneratedInitiatingProcessCommandLine

Operators

let|whereandisnotemptydistincthassummarizearg_maxbyhas_any>ago( ).

Actions