Adding with changes

2022-03-31 16:38:02 -07:00 · 2022-03-31 16:38:02 -07:00 · eae3c184f0
--- a/Queries/Syslog/Apache_log4j_Vulnerability.yaml
+++ b/Queries/Syslog/Apache_log4j_Vulnerability.yaml
@ -18,26 +18,26 @@
  tags:
    - CVE-2021-44228
  query: |
-  let log4j_execve=()
-  {
-    Syslog
-    | where SyslogMessage has "AUOMS_EXECVE"
-    | where SyslogMessage has 'jndi' and SyslogMessage has_any ('ldap', 'dns', 'rmi', 'corba', 'iiop', 'nis', 'nds')
-    | parse SyslogMessage with "type=" EventType " audit(" * "): " EventData
-    | where EventType =~ "AUOMS_EXECVE"
-    | project TimeGenerated, EventType, Computer, EventData
-    | extend EventData = trim_end('containerid=',EventData)
-    | parse kind=regex EventData with * "success=" success " exit=" * "ppid=" ppid "pid=" pid
-    "audit_user=" audit_user "auid=" * "user=" user " uid=" uid " group=" * "comm=\"" comm "\" exe=\"" exe
-    "\"" * "cwd=\"" cwd "\" name=\"" name "\" (inode|nametype)=" * "(proctitle|cmdline)=" cmdline
-    | extend cmdline = trim_end('redactors=.*',cmdline)
-  };
-  log4j_execve
-    | where comm has_any ("wget","curl")
-    | where cmdline has_any ("${jndi:ldap","${jndi:dns","${jndi:rmi","${jndi:corba","${jndi:iiop","${jndi:nis", "${jndi:nds")
-    | project TimeGenerated, Computer, audit_user, user, cmdline
-    | extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated
-    | sort by TimeGenerated desc
+    let log4j_execve=()
+    {
+      Syslog
+      | where SyslogMessage has "AUOMS_EXECVE"
+      | where SyslogMessage has 'jndi' and SyslogMessage has_any ('ldap', 'dns', 'rmi', 'corba', 'iiop', 'nis', 'nds')
+      | parse SyslogMessage with "type=" EventType " audit(" * "): " EventData
+      | where EventType =~ "AUOMS_EXECVE"
+      | project TimeGenerated, EventType, Computer, EventData
+      | extend EventData = trim_end('containerid=',EventData)
+      | parse kind=regex EventData with * "success=" success " exit=" * "ppid=" ppid "pid=" pid
+      "audit_user=" audit_user "auid=" * "user=" user " uid=" uid " group=" * "comm=\"" comm "\" exe=\"" exe
+      "\"" * "cwd=\"" cwd "\" name=\"" name "\" (inode|nametype)=" * "(proctitle|cmdline)=" cmdline
+      | extend cmdline = trim_end('redactors=.*',cmdline)
+    };
+    log4j_execve
+      | where comm has_any ("wget","curl")
+      | where cmdline has_any ("${jndi:ldap","${jndi:dns","${jndi:rmi","${jndi:corba","${jndi:iiop","${jndi:nis", "${jndi:nds")
+      | project TimeGenerated, Computer, audit_user, user, cmdline
+      | extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated
+      | sort by TimeGenerated desc
  entityMappings: 
  - entityType: Host
    fieldMappings: