Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. OMI Vulnerability Exploitation

OMI Vulnerability Exploitation

Back
Id3cc5ccd8-b416-4141-bb2d-4eba370e37a5
RulenameOMI Vulnerability Exploitation
DescriptionFollowing the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework.

This detection validates that any OMS-agent that is reporting to the Microsoft Sentinel workspace is updated with the patch. The detection will go over the heartbeats received from all agents over the last day and will create alert for those agents who are not updated.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/OMI_vulnerability_detection.yaml
Version1.1.5
Arm template3cc5ccd8-b416-4141-bb2d-4eba370e37a5.json
Deploy To Azure
let OMIVulnerabilityPatchVersion = "OMIVulnerabilityPatchVersion:1.13.40-0";
Heartbeat
| where Category == "Direct Agent"
| summarize arg_max(TimeGenerated,*) by Computer
| parse strcat("Version:" , Version) with * "Version:" Major:long "."
Minor:long "." Patch:long "-" *
| parse OMIVulnerabilityPatchVersion with * "OMIVulnerabilityPatchVersion:"
OMIVersionMajor:long "." OMIVersionMinor:long "." OMIVersionPatch:long "-" *
| where Major <OMIVersionMajor or (Major==OMIVersionMajor and Minor
<OMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and
Patch<OMIVersionPatch) 
| project Version, Major,Minor,Patch,
Computer,ComputerIP,OSType,OSName,ResourceId

triggerOperator: gt
triggerThreshold: 0
name: OMI Vulnerability Exploitation
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Vulnerability Management
  source:
    kind: Community
  author:
    name: Ron Marsiano
queryPeriod: 1d
severity: Medium
tags:
- OMIGOD
- CVE-2021-38647
kind: Scheduled
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: HostName
- entityType: AzureResource
  fieldMappings:
  - columnName: ResourceId
    identifier: ResourceId
queryFrequency: 1d
relevantTechniques:
- T1190
requiredDataConnectors: []
customDetails:
  OSType: OSType
  OSName: OSName
  HostIp: ComputerIP
description: |
  Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework.
  This detection validates that any OMS-agent that is reporting to the Microsoft Sentinel workspace is updated with the patch. The detection will go over the heartbeats received from all agents over the last day and will create alert for those agents who are not updated.  
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/OMI_vulnerability_detection.yaml
query: |
  let OMIVulnerabilityPatchVersion = "OMIVulnerabilityPatchVersion:1.13.40-0";
  Heartbeat
  | where Category == "Direct Agent"
  | summarize arg_max(TimeGenerated,*) by Computer
  | parse strcat("Version:" , Version) with * "Version:" Major:long "."
  Minor:long "." Patch:long "-" *
  | parse OMIVulnerabilityPatchVersion with * "OMIVulnerabilityPatchVersion:"
  OMIVersionMajor:long "." OMIVersionMinor:long "." OMIVersionPatch:long "-" *
  | where Major <OMIVersionMajor or (Major==OMIVersionMajor and Minor
  <OMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and
  Patch<OMIVersionPatch) 
  | project Version, Major,Minor,Patch,
  Computer,ComputerIP,OSType,OSName,ResourceId  
id: 3cc5ccd8-b416-4141-bb2d-4eba370e37a5
version: 1.1.5

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3cc5ccd8-b416-4141-bb2d-4eba370e37a5')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3cc5ccd8-b416-4141-bb2d-4eba370e37a5')]",
      "properties": {
        "alertRuleTemplateName": "3cc5ccd8-b416-4141-bb2d-4eba370e37a5",
        "customDetails": {
          "HostIp": "ComputerIP",
          "OSName": "OSName",
          "OSType": "OSType"
        },
        "description": "Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework.\nThis detection validates that any OMS-agent that is reporting to the Microsoft Sentinel workspace is updated with the patch. The detection will go over the heartbeats received from all agents over the last day and will create alert for those agents who are not updated.\n",
        "displayName": "OMI Vulnerability Exploitation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "ResourceId",
                "identifier": "ResourceId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/OMI_vulnerability_detection.yaml",
        "query": "let OMIVulnerabilityPatchVersion = \"OMIVulnerabilityPatchVersion:1.13.40-0\";\nHeartbeat\n| where Category == \"Direct Agent\"\n| summarize arg_max(TimeGenerated,*) by Computer\n| parse strcat(\"Version:\" , Version) with * \"Version:\" Major:long \".\"\nMinor:long \".\" Patch:long \"-\" *\n| parse OMIVulnerabilityPatchVersion with * \"OMIVulnerabilityPatchVersion:\"\nOMIVersionMajor:long \".\" OMIVersionMinor:long \".\" OMIVersionPatch:long \"-\" *\n| where Major <OMIVersionMajor or (Major==OMIVersionMajor and Minor\n<OMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\nPatch<OMIVersionPatch) \n| project Version, Major,Minor,Patch,\nComputer,ComputerIP,OSType,OSName,ResourceId\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "tags": [
          "OMIGOD",
          "CVE-2021-38647"
        ],
        "techniques": [
          "T1190"
        ],
        "templateVersion": "1.1.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}