Detection rules › Kusto
Vulnerable Machines related to OMIGOD CVE-2021-38647
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647). Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below). Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1190 Exploit Public-Facing Application |
| Execution | T1203 Exploitation for Client Execution |
Rule body kusto
id: 4d94d4a9-dc96-450a-9dea-4d4d4594199b
name: Vulnerable Machines related to OMIGOD CVE-2021-38647
description: |
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647.
OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).
Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).
Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal'
severity: High
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- Execution
relevantTechniques:
- T1190
- T1203
tags:
- OMIGOD
- CVE-2021-38647
query: |
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-38647'
| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend HostName = tostring(split(VirtualMAchine, ".")[0]), DomainIndex = toint(indexof(VirtualMAchine, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(VirtualMAchine, DomainIndex + 1), VirtualMAchine)
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: VirtualMAchine
- identifier: HostName
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
version: 1.0.5
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]
Stages and Predicates
Stage 1: source
SecurityNestedRecommendation
Stage 2: where
| where RemediationDescription has 'CVE-2021-38647'
Stage 3: parse
| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
Stage 4: summarize
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
Stage 5: extend
| extend HostName = tostring(split(VirtualMAchine, ".")[0]), DomainIndex = toint(indexof(VirtualMAchine, '.'))
Stage 6: extend
| extend HostNameDomain = iff(DomainIndex != -1, substring(VirtualMAchine, DomainIndex + 1), VirtualMAchine)
HostNameDomain =DomainIndex != -1substring(VirtualMAchine, (DomainIndex + 1))VirtualMAchineIndicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
RemediationDescription | match |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
Description | summarize |
RecommendationName | summarize |
RecommendationSubscriptionId | summarize |
RemediationDescription | summarize |
TenantId | summarize |
VirtualMAchine | summarize |
VulnerabilityId | summarize |
DomainIndex | extend |
HostName | extend |
HostNameDomain | extend |