Forum Discussion

mathurin68's avatar
mathurin68
Brass Contributor
Dec 15, 2021

KQL for Public Facing CVE-2021-44228 Hosts

We came up with the following KQL but are still learning could someone double check our work? 

 

 

DeviceTvmSoftwareVulnerabilities
| where CveId == 'CVE-2021-44228'
| project DeviceId, DeviceName, OSPlatform, OSVersion, SoftwareVendor, SoftwareName, SoftwareVersion, CveId
| join kind=inner
(
 DeviceInfo
 | project DeviceId, PublicIP, MachineGroup
)
on DeviceId
| distinct *

 

 

We're trying to use KQL to determine which of our hosts affected by log4j have public facing IP addresses...

 

Thanks! 

  • mathurin68
    Try using this:

    DeviceTvmSoftwareVulnerabilities
    | where CveId == 'CVE-2021-44228'
    | join kind=inner (DeviceEvents
    | distinct LocalIP, DeviceName)
    on $left.DeviceId == $right.DeviceId
    | distinct DeviceName, LocalIP
    • mathurin68's avatar
      mathurin68
      Brass Contributor
      For whatever reason this doesn't seem to work in ours... BUT many, many thanks for the effort!
      • AnuragSrivastava's avatar
        AnuragSrivastava
        Iron Contributor
        Missed one parameter, please try the below

        DeviceTvmSoftwareVulnerabilities
        | where CveId in ("CVE-2021-44228")
        | join kind = inner(DeviceEvents
        | distinct LocalIP, DeviceName, DeviceId)
        on $left.DeviceId == $right.DeviceId
        | distinct DeviceName, LocalIP

Resources