diff --git a/Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml b/Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml index 0957ac8aa8e..84912f71640 100644 --- a/Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml +++ b/Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml @@ -20,7 +20,17 @@ query: | let log4jRegex = @'(\\$|%24)(\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\$|%24|}|%7D)'; AzureDiagnostics | where Category in ("FrontdoorWebApplicationFirewallLog", "FrontdoorAccessLog", "ApplicationGatewayFirewallLog", "ApplicationGatewayAccessLog") - //The regex and the string matching look for the most common attacks. This is not supposed to be comprehensive. + //Extending the columns to aviod failures. + | extend originalRequestUriWithArgs_s = column_ifexists("originalRequestUriWithArgs_s", ""), + userAgent_s = column_ifexists("userAgent_s", ""), + clientIP_s = column_ifexists("clientIP_s", ""), + clientPort_d = column_ifexists("originalRequestUriWithArgs_s", ""), + host_s = column_ifexists("host_s", ""), + requestUri_s = column_ifexists("requestUri_s", ""), + httpStatus_d = column_ifexists("httpStatus_d",""), + listenerName_s = column_ifexists("listenerName_s", ""), + httpMethod_s = column_ifexists("httpMethod_s", "") + //The regex and the string matching look for the most common attacks. This is not supposed to be comprehensive. | where originalRequestUriWithArgs_s has_any (log4jcmdstring) or originalRequestUriWithArgs_s matches regex log4jRegex or userAgent_s has_any (log4jcmdstring) or userAgent_s matches regex log4jRegex | extend CmdLine = iff(originalRequestUriWithArgs_s has 'Base64/', split(split(originalRequestUriWithArgs_s, "Base64/",1)[0], "}", 0)[0], split(split(userAgent_s, "Base64/",1)[0], "}", 0)[0]) | extend CmdLine = base64_decode_tostring(tostring(CmdLine)) @@ -32,4 +42,4 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 +version: 1.0.2