Forum Discussion
mathurin68
Dec 15, 2021Brass Contributor
KQL for Public Facing CVE-2021-44228 Hosts
We came up with the following KQL but are still learning could someone double check our work?
DeviceTvmSoftwareVulnerabilities
| where CveId == 'CVE-2021-44228'
| project DeviceId, DeviceName, OSPlatform, OSVersion, SoftwareVendor, SoftwareName, SoftwareVersion, CveId
| join kind=inner
(
DeviceInfo
| project DeviceId, PublicIP, MachineGroup
)
on DeviceId
| distinct *
We're trying to use KQL to determine which of our hosts affected by log4j have public facing IP addresses...
Thanks!
- AnuragSrivastavaIron Contributormathurin68
Try using this:
DeviceTvmSoftwareVulnerabilities
| where CveId == 'CVE-2021-44228'
| join kind=inner (DeviceEvents
| distinct LocalIP, DeviceName)
on $left.DeviceId == $right.DeviceId
| distinct DeviceName, LocalIP- mathurin68Brass ContributorFor whatever reason this doesn't seem to work in ours... BUT many, many thanks for the effort!
- AnuragSrivastavaIron ContributorMissed one parameter, please try the below
DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2021-44228")
| join kind = inner(DeviceEvents
| distinct LocalIP, DeviceName, DeviceId)
on $left.DeviceId == $right.DeviceId
| distinct DeviceName, LocalIP