Merge pull request #3863 from samikroy/patch-12

Updating as per #3826
Azure · Jan 28, 2022 · e614f43 · e614f43
2 parents a55f7b6 + fefcb17
commit e614f43
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json b/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json
@@ -325,7 +325,7 @@
           "properties": {
             "eTag": "*",
             "displayName": "Azure WAF Log4j CVE-2021-44228 hunting",
-            "category": "Hunting Queries",
+            "category": "Hunting Queries",        
             "query": "let log4jcmdstring = dynamic([\"${jndi:ldap\",\"${jndi:dns\",\"${jndi:rmi\",\"${jndi:corba\",\"${jndi:iiop\",\"${jndi:nis\",\"${jndi:nds\"]);\nlet log4jRegex = @'(\\\\$|%24)(\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\$|%24|}|%7D)';\nAzureDiagnostics\n| where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\n //Extending the columns to aviod failures.\n| extend originalRequestUriWithArgs_s = column_ifexists(\"originalRequestUriWithArgs_s\", \"\"), \n  userAgent_s = column_ifexists(\"userAgent_s\", \"\"), \n  clientIP_s = column_ifexists(\"clientIP_s\", \"\"),  \n  clientPort_d = column_ifexists(\"originalRequestUriWithArgs_s\", \"\"),\n  host_s = column_ifexists(\"host_s\", \"\"),\n  requestUri_s = column_ifexists(\"requestUri_s\", \"\"),\n  httpStatus_d = column_ifexists(\"httpStatus_d\",\"\"),\n  listenerName_s = column_ifexists(\"listenerName_s\", \"\"),\n  httpMethod_s = column_ifexists(\"httpMethod_s\", \"\")\n //The regex and the string matching look for the most common attacks. This is not supposed to be comprehensive.\n| where originalRequestUriWithArgs_s has_any (log4jcmdstring) or originalRequestUriWithArgs_s matches regex log4jRegex or userAgent_s has_any (log4jcmdstring) or  userAgent_s matches regex log4jRegex\n| extend CmdLine = iff(originalRequestUriWithArgs_s has 'Base64/', split(split(originalRequestUriWithArgs_s, \"Base64/\",1)[0], \"}\", 0)[0], split(split(userAgent_s, \"Base64/\",1)[0], \"}\", 0)[0])\n| extend CmdLine = base64_decode_tostring(tostring(CmdLine))\n| where CmdLine has_any (\"wget\",\"curl\")\n| summarize Total = count() by originalRequestUriWithArgs_s, userAgent_s, clientIP_s,clientPort_d, TimeGenerated, host_s, requestUri_s, httpStatus_d,listenerName_s, CmdLine, httpMethod_s, Category\n| extend IPCustomEntity = clientIP_s, timestamp = TimeGenerated\n",
             "version": 1,
             "tags": [