Updating as per Azure#3826

samikroy · Jan 7, 2022 · 2426369 · 2426369
1 parent 8330ddf
commit 2426369
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json b/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json
@@ -279,7 +279,7 @@
             "eTag": "*",
             "displayName": "Azure WAF Log4j CVE-2021-44228 hunting",
             "category": "Hunting Queries",
-            "query": "let log4jcmdstring = dynamic([\"${jndi:ldap\",\"${jndi:dns\",\"${jndi:rmi\",\"${jndi:corba\",\"${jndi:iiop\",\"${jndi:nis\",\"${jndi:nds\"]);\nAzureDiagnostics\n| where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\n//The regex and the string matching look for the most common attacks. This is not supposed to be comprehensive.\n| where originalRequestUriWithArgs_s has_any (log4jcmdstring) or originalRequestUriWithArgs_s matches regex '\\\\$\\\\{j\\\\$\\\\{::-\\\\}n\\\\$\\\\{::-\\\\}d\\\\$\\\\{::-\\\\}[a-zA-Z]' or userAgent_s has_any (log4jcmdstring) or  userAgent_s matches regex  '\\\\$\\\\{j\\\\$\\\\{::-\\\\}n\\\\$\\\\{::-\\\\}d\\\\$\\\\{::-\\\\}[a-zA-Z]'\n| extend CmdLine = iff(originalRequestUriWithArgs_s has 'Base64/', split(split(originalRequestUriWithArgs_s, \"Base64/\",1)[0], \"}\", 0)[0], split(split(userAgent_s, \"Base64/\",1)[0], \"}\", 0)[0])\n| extend CmdLine = base64_decode_tostring(tostring(CmdLine))\n| where CmdLine has_any (\"wget\",\"curl\")\n| summarize Total = count() by originalRequestUriWithArgs_s, userAgent_s, clientIP_s,clientPort_d, TimeGenerated, host_s, requestUri_s, httpStatus_d,listenerName_s, CmdLine, httpMethod_s, Category\n| extend IPCustomEntity = clientIP_s, timestamp = TimeGenerated\n",
+            "query": "let log4jcmdstring = dynamic([\"${jndi:ldap\",\"${jndi:dns\",\"${jndi:rmi\",\"${jndi:corba\",\"${jndi:iiop\",\"${jndi:nis\",\"${jndi:nds\"]);\nlet log4jRegex = @'(\\\\$|%24)(\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\$|%24|}|%7D)';\nAzureDiagnostics\n| where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\n//Extending the columns to aviod failures.\n| extend originalRequestUriWithArgs_s = column_ifexists(\"originalRequestUriWithArgs_s\", \"\"),\nuserAgent_s = column_ifexists(\"userAgent_s\", \"\"),\nclientIP_s = column_ifexists(\"clientIP_s\", \"\"),\nclientPort_d = column_ifexists(\"originalRequestUriWithArgs_s\", \"\"),\nhost_s = column_ifexists(\"host_s\", \"\"),\nrequestUri_s = column_ifexists(\"requestUri_s\", \"\"),\nhttpStatus_d = column_ifexists(\"httpStatus_d\",\"\"),\nlistenerName_s = column_ifexists(\"listenerName_s\", \"\"),\nhttpMethod_s = column_ifexists(\"httpMethod_s\", \"\")\n//The regex and the string matching look for the most common attacks. This is not supposed to be comprehensive.\n| where originalRequestUriWithArgs_s has_any (log4jcmdstring) or originalRequestUriWithArgs_s matches regex log4jRegex or userAgent_s has_any (log4jcmdstring) or  userAgent_s matches regex log4jRegex\n| extend CmdLine = iff(originalRequestUriWithArgs_s has 'Base64/', split(split(originalRequestUriWithArgs_s, \"Base64/\",1)[0], \"}\", 0)[0], split(split(userAgent_s, \"Base64/\",1)[0], \"}\", 0)[0])\n| extend CmdLine = base64_decode_tostring(tostring(CmdLine))\n| where CmdLine has_any (\"wget\",\"curl\")\n| summarize Total = count() by originalRequestUriWithArgs_s, userAgent_s, clientIP_s,clientPort_d, TimeGenerated, host_s, requestUri_s, httpStatus_d,listenerName_s, CmdLine, httpMethod_s, Category\n| extend IPCustomEntity = clientIP_s, timestamp = TimeGenerated\n",
             "version": 1,
             "tags": [
               {