cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

KQL for Public Facing CVE-2021-44228 Hosts

mathurin68
Brass Contributor

‎Dec 15 2021 08:12 AM

‎Dec 15 2021 08:12 AM

KQL for Public Facing CVE-2021-44228 Hosts

We came up with the following KQL but are still learning could someone double check our work? 

 

 

DeviceTvmSoftwareVulnerabilities
| where CveId == 'CVE-2021-44228'
| project DeviceId, DeviceName, OSPlatform, OSVersion, SoftwareVendor, SoftwareName, SoftwareVersion, CveId
| join kind=inner
(
 DeviceInfo
 | project DeviceId, PublicIP, MachineGroup
)
on DeviceId
| distinct *

 

 

We're trying to use KQL to determine which of our hosts affected by log4j have public facing IP addresses...

 

Thanks! 

2,026 Views
0 Likes
3 Replies
Reply
3 Replies
AnuragSrivastava

‎Dec 15 2021 10:15 AM

‎Dec 15 2021 10:15 AM

Re: KQL for Public Facing CVE-2021-44228 Hosts

@mathurin68
Try using this:

DeviceTvmSoftwareVulnerabilities
| where CveId == 'CVE-2021-44228'
| join kind=inner (DeviceEvents
| distinct LocalIP, DeviceName)
on $left.DeviceId == $right.DeviceId
| distinct DeviceName, LocalIP
0 Likes
Reply
mathurin68

‎Dec 16 2021 12:08 PM

‎Dec 16 2021 12:08 PM

Re: KQL for Public Facing CVE-2021-44228 Hosts

For whatever reason this doesn't seem to work in ours... BUT many, many thanks for the effort!
0 Likes
Reply
AnuragSrivastava

‎Dec 17 2021 11:08 AM

‎Dec 17 2021 11:08 AM

Re: KQL for Public Facing CVE-2021-44228 Hosts

Missed one parameter, please try the below

DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2021-44228")
| join kind = inner(DeviceEvents
| distinct LocalIP, DeviceName, DeviceId)
on $left.DeviceId == $right.DeviceId
| distinct DeviceName, LocalIP
0 Likes
Reply