KQL Search

This KQL (Kusto Query Language) query is designed to identify potentially vulnerable SAP NetWeaver servers that are exposed to the internet. Here's a simplified breakdown of what the query does:

1. Identify Internet-Facing Devices:

   • The query first looks at the DeviceInfo table to find devices that are internet-facing (i.e., they have a public IP address).
   • It filters these devices by checking if the IsInternetFacing field is true and the PublicIP field is not empty.
   • It then creates a distinct list of these internet-facing devices by their DeviceId.

2. Find NetWeaver Processes:

   • The query then examines the DeviceProcessEvents table to find events from the last 90 days (TimeGenerated > ago(90d)).
   • It filters these events to find processes where the InitiatingProcessVersionInfoProductName contains "netweaver", indicating they are related to SAP NetWeaver.

3. Summarize Recent Events:

   • For each device, it summarizes the most recent event (arg_max(TimeGenerated, *)) to get the latest process information for each device.

4. Filter for Internet-Facing Devices:

   • Finally, it filters the summarized results to only include devices that are in the list of internet-facing devices identified earlier.

In summary, this query identifies the most recent SAP NetWeaver-related processes running on devices that are exposed to the internet, which could potentially be vulnerable to exploitation.