Query Details
Solarwinds Server U Vuln
Query
//Based on SolarWinds IOCs: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
let SolarU_IPs = pack_array("98.176.196.89", "68.235.178.32", "208,113,35,58");
DeviceNetworkEvents
| where TimeGenerated >= (7d)
| where RemotePort == 443
| where Protocol == "Tcp" and ActionType == "ConnectionSuccess"
| where RemoteIP in(SolarU_IPs)
Explanation
This query is looking for network events related to specific IP addresses mentioned in the SolarWinds IOCs. It filters the events based on the time generated within the last 7 days, remote port being 443, protocol being TCP, and action type being connection success. Finally, it checks if the remote IP is one of the IP addresses mentioned in the SolarU_IPs array.
Details
Rod Trent
Released: July 13, 2021
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,TimeGenerated,RemotePort,Protocol,ActionType,RemoteIP,SolarU_IPs
Operators
letpack_arrayDeviceNetworkEventswhereTimeGenerated>=(7d)RemotePort==443Protocol=="Tcp"andActionType=="ConnectionSuccess"RemoteIPin(SolarU_IPs)