Skip to content

Commit de9c028

Browse files
committed
Fix field references in Log4j WAF detection rule
Corrects the column_ifexists references in the Log4j vulnerability detection rule to use the proper field names from AdditionalFields. The details_message_s and details_msg_s fields were referencing incorrect suffixed field names (details_message_s and details_msg_s) instead of the correct unadorned names (details_message and details_msg). This ensures the rule properly extracts data from Azure WAF logs.
1 parent 5fb5f41 commit de9c028

3 files changed

Lines changed: 3 additions & 2 deletions

File tree

Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/AzureWAFmatching_log4j_vuln.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,8 @@ query: |
2626
AzureDiagnostics
2727
| where ResourceProvider == "MICROSOFT.NETWORK" and Category in ("ApplicationGatewayFirewallLog", "FrontdoorWebApplicationFirewallLog")
2828
| extend details_data_s = column_ifexists("details_data_s", tostring(AdditionalFields.details_data))
29-
| extend details_message_s = column_ifexists("details_message_s", tostring(AdditionalFields.details_message_s))
29+
| extend details_msg_s = column_ifexists("details_msg_s", tostring(AdditionalFields.details_msg))
30+
| extend details_message_s = column_ifexists("details_message_s", tostring(AdditionalFields.details_message))
3031
| where requestUri_s has_any (log4jioc) or details_message_s has_any (log4jioc) or details_msg_s has_any (log4jioc) or details_data_s has_any (log4jioc)
3132
| extend Malicious = iff(isnotempty( details_data_s),details_data_s,iff(isnotempty( requestUri_s),requestUri_s,""))
3233
|parse Malicious with * '${' MaliciousCommand '}' *
18 Bytes
Binary file not shown.

Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -514,7 +514,7 @@
514514
"description": "This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\n Reference: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/",
515515
"displayName": "Azure WAF matching for Log4j vuln(CVE-2021-44228)",
516516
"enabled": false,
517-
"query": "let log4jioc = dynamic([\"jndi\",\"ldap\",\"${::\"]);\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.NETWORK\" and Category in (\"ApplicationGatewayFirewallLog\", \"FrontdoorWebApplicationFirewallLog\")\n| extend details_data_s = column_ifexists(\"details_data_s\", tostring(AdditionalFields.details_data))\n| extend details_message_s = column_ifexists(\"details_message_s\", tostring(AdditionalFields.details_message_s))\n| where requestUri_s has_any (log4jioc) or details_message_s has_any (log4jioc) or details_msg_s has_any (log4jioc) or details_data_s has_any (log4jioc)\n| extend Malicious = iff(isnotempty( details_data_s),details_data_s,iff(isnotempty( requestUri_s),requestUri_s,\"\"))\n|parse Malicious with * '${' MaliciousCommand '}' * \n| extend EncodeCmd = iff(MaliciousCommand has 'Base64/', split(split(MaliciousCommand, \"Base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend EncodeCmd1 = iff(MaliciousCommand has 'base64/', split(split(MaliciousCommand, \"base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \"Unable to decode/Doesn't need decoding\")\n| project TimeGenerated, Target=column_ifexists(\"hostname_s\", tostring(AdditionalFields.hostname)), MaliciousHost = column_ifexists(\"clientIp_s\", tostring(AdditionalFields.clientIp)) , MaliciousCommand, details_data_s = column_ifexists(\"details_data_s\", tostring(AdditionalFields.details_data)), DecodedCmdLine, Message,\nruleSetType_s = column_ifexists(\"ruleSetType_s\", tostring(AdditionalFields.ruleSetType)), OperationName, SubscriptionId, details_message_s = column_ifexists(\"details_message_s\", tostring(AdditionalFields.details_message)), details_msg_s = column_ifexists(\"details_msg_s\", tostring(AdditionalFields.details_msg)), details_file_s = column_ifexists(\"details_message_s\", tostring(AdditionalFields.details_file))\n| extend timestamp = TimeGenerated\n",
517+
"query": "let log4jioc = dynamic([\"jndi\",\"ldap\",\"${::\"]);\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.NETWORK\" and Category in (\"ApplicationGatewayFirewallLog\", \"FrontdoorWebApplicationFirewallLog\")\n| extend details_data_s = column_ifexists(\"details_data_s\", tostring(AdditionalFields.details_data))\n| extend details_msg_s = column_ifexists(\"details_msg_s\", tostring(AdditionalFields.details_msg))\n| extend details_message_s = column_ifexists(\"details_message_s\", tostring(AdditionalFields.details_message))\n| where requestUri_s has_any (log4jioc) or details_message_s has_any (log4jioc) or details_msg_s has_any (log4jioc) or details_data_s has_any (log4jioc)\n| extend Malicious = iff(isnotempty( details_data_s),details_data_s,iff(isnotempty( requestUri_s),requestUri_s,\"\"))\n|parse Malicious with * '${' MaliciousCommand '}' * \n| extend EncodeCmd = iff(MaliciousCommand has 'Base64/', split(split(MaliciousCommand, \"Base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend EncodeCmd1 = iff(MaliciousCommand has 'base64/', split(split(MaliciousCommand, \"base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \"Unable to decode/Doesn't need decoding\")\n| project TimeGenerated, Target=column_ifexists(\"hostname_s\", tostring(AdditionalFields.hostname)), MaliciousHost = column_ifexists(\"clientIp_s\", tostring(AdditionalFields.clientIp)) , MaliciousCommand, details_data_s = column_ifexists(\"details_data_s\", tostring(AdditionalFields.details_data)), DecodedCmdLine, Message,\nruleSetType_s = column_ifexists(\"ruleSetType_s\", tostring(AdditionalFields.ruleSetType)), OperationName, SubscriptionId, details_message_s = column_ifexists(\"details_message_s\", tostring(AdditionalFields.details_message)), details_msg_s = column_ifexists(\"details_msg_s\", tostring(AdditionalFields.details_msg)), details_file_s = column_ifexists(\"details_message_s\", tostring(AdditionalFields.details_file))\n| extend timestamp = TimeGenerated\n",
518518
"queryFrequency": "PT6H",
519519
"queryPeriod": "PT6H",
520520
"severity": "High",

0 commit comments

Comments
 (0)