From 38c6a59ce66c5d3347e681e0095e4a046eb5e615 Mon Sep 17 00:00:00 2001
From: Samik Roy <samik.n.roy@gmail.com>
Date: Tue, 4 Jan 2022 00:46:56 +0530
Subject: [PATCH] Update WAF_log4j_vulnerability.yaml

---
 .../AzureDiagnostics/WAF_log4j_vulnerability.yaml  | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml b/Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml
index 0957ac8aa8e..84912f71640 100644
--- a/Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml	
+++ b/Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml	
@@ -20,7 +20,17 @@ query: |
   let log4jRegex = @'(\\$|%24)(\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\$|%24|}|%7D)';
   AzureDiagnostics
   | where Category in ("FrontdoorWebApplicationFirewallLog", "FrontdoorAccessLog", "ApplicationGatewayFirewallLog", "ApplicationGatewayAccessLog")
-  //The regex and the string matching look for the most common attacks. This is not supposed to be comprehensive.
+   //Extending the columns to aviod failures.
+  | extend originalRequestUriWithArgs_s = column_ifexists("originalRequestUriWithArgs_s", ""), 
+    userAgent_s = column_ifexists("userAgent_s", ""), 
+    clientIP_s = column_ifexists("clientIP_s", ""),  
+    clientPort_d = column_ifexists("originalRequestUriWithArgs_s", ""),
+    host_s = column_ifexists("host_s", ""),
+    requestUri_s = column_ifexists("requestUri_s", ""),
+    httpStatus_d = column_ifexists("httpStatus_d",""),
+    listenerName_s = column_ifexists("listenerName_s", ""),
+    httpMethod_s = column_ifexists("httpMethod_s", "")
+   //The regex and the string matching look for the most common attacks. This is not supposed to be comprehensive.
   | where originalRequestUriWithArgs_s has_any (log4jcmdstring) or originalRequestUriWithArgs_s matches regex log4jRegex or userAgent_s has_any (log4jcmdstring) or  userAgent_s matches regex log4jRegex
   | extend CmdLine = iff(originalRequestUriWithArgs_s has 'Base64/', split(split(originalRequestUriWithArgs_s, "Base64/",1)[0], "}", 0)[0], split(split(userAgent_s, "Base64/",1)[0], "}", 0)[0])
   | extend CmdLine = base64_decode_tostring(tostring(CmdLine))
@@ -32,4 +42,4 @@ entityMappings:
   fieldMappings:
     - identifier: Address
       columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2