KQL Search

This KQL (Kusto Query Language) query is designed to identify potentially vulnerable devices running the "nginx-ingress" process that are exposed to the internet. Here's a simplified breakdown of what the query does:

1. Identify Internet-Facing Devices:

   • The query first looks at a dataset called DeviceInfo to find devices that are exposed to the internet. This is determined by checking if the IsInternetFacing field is true and if there is a non-empty PublicIP.
   • It then creates a list of unique DeviceIds for these internet-facing devices.

2. Find Nginx-Ingress Processes:

   • The query then examines another dataset called DeviceProcessEvents to find processes where the command line includes "nginx-ingress". This indicates that the device is running the Nginx Ingress Controller, which is a component often used in Kubernetes environments.

3. Summarize and Filter Results:

   • For each device running "nginx-ingress", it summarizes the data to get the most recent event (arg_max(TimeGenerated, *)) for each DeviceId.
   • Finally, it filters these results to only include devices that are in the list of internet-facing devices identified earlier.

In summary, this query identifies devices that are both running the "nginx-ingress" process and are exposed to the internet, potentially highlighting systems that could be vulnerable to certain security risks.