Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vulnerable Machines related to OMIGOD CVE-2021-38647

Back
Id4d94d4a9-dc96-450a-9dea-4d4d4594199b
RulenameVulnerable Machines related to OMIGOD CVE-2021-38647
DescriptionThis query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and

helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).

Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).

Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal
SeverityHigh
TacticsInitialAccess
Execution
TechniquesT1190
T1203
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml
Version1.0.3
Arm template4d94d4a9-dc96-450a-9dea-4d4d4594199b.json
Deploy To Azure
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-38647'
| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine
name: Vulnerable Machines related to OMIGOD CVE-2021-38647
query: |
  SecurityNestedRecommendation
  | where RemediationDescription has 'CVE-2021-38647'
  | parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
  | summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
  | extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine  
metadata:
  source:
    kind: Community
  author:
    name: Ajeet Prakash
  categories:
    domains:
    - Security - Threat Protection
  support:
    tier: Community
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml
queryFrequency: 1d
triggerThreshold: 0
requiredDataConnectors: []
version: 1.0.3
queryPeriod: 1d
id: 4d94d4a9-dc96-450a-9dea-4d4d4594199b
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
  entityType: Host
tags:
- OMIGOD
- CVE-2021-38647
relevantTechniques:
- T1190
- T1203
severity: High
description: |
  'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and 
   helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).
   Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).
   Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
   Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal'  
kind: Scheduled
tactics:
- InitialAccess
- Execution
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d94d4a9-dc96-450a-9dea-4d4d4594199b')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d94d4a9-dc96-450a-9dea-4d4d4594199b')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Vulnerable Machines related to OMIGOD CVE-2021-38647",
        "description": "'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal'\n",
        "severity": "High",
        "enabled": true,
        "query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-38647'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Execution"
        ],
        "techniques": [
          "T1190",
          "T1203"
        ],
        "alertRuleTemplateName": "4d94d4a9-dc96-450a-9dea-4d4d4594199b",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ],
            "entityType": "Host"
          }
        ],
        "tags": [
          "OMIGOD",
          "CVE-2021-38647"
        ],
        "templateVersion": "1.0.3",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml"
      }
    }
  ]
}