Vulnerable Machines related to OMIGOD CVE-2021-38647
| Id | 4d94d4a9-dc96-450a-9dea-4d4d4594199b |
| Rulename | Vulnerable Machines related to OMIGOD CVE-2021-38647 |
| Description | This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647). Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below). Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal |
| Severity | High |
| Tactics | InitialAccess Execution |
| Techniques | T1190 T1203 |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml |
| Version | 1.0.3 |
| Arm template | 4d94d4a9-dc96-450a-9dea-4d4d4594199b.json |
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-38647'
| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine
name: Vulnerable Machines related to OMIGOD CVE-2021-38647
query: |
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-38647'
| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine
metadata:
source:
kind: Community
author:
name: Ajeet Prakash
categories:
domains:
- Security - Threat Protection
support:
tier: Community
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml
queryFrequency: 1d
triggerThreshold: 0
requiredDataConnectors: []
version: 1.0.3
queryPeriod: 1d
id: 4d94d4a9-dc96-450a-9dea-4d4d4594199b
triggerOperator: gt
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
entityType: Host
tags:
- OMIGOD
- CVE-2021-38647
relevantTechniques:
- T1190
- T1203
severity: High
description: |
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and
helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).
Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).
Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal'
kind: Scheduled
tactics:
- InitialAccess
- Execution
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d94d4a9-dc96-450a-9dea-4d4d4594199b')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d94d4a9-dc96-450a-9dea-4d4d4594199b')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Vulnerable Machines related to OMIGOD CVE-2021-38647",
"description": "'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal'\n",
"severity": "High",
"enabled": true,
"query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-38647'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess",
"Execution"
],
"techniques": [
"T1190",
"T1203"
],
"alertRuleTemplateName": "4d94d4a9-dc96-450a-9dea-4d4d4594199b",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
],
"entityType": "Host"
}
],
"tags": [
"OMIGOD",
"CVE-2021-38647"
],
"templateVersion": "1.0.3",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml"
}
}
]
}