Vulnerable Machines related to OMIGOD CVE-2021-38647
| Id | 4d94d4a9-dc96-450a-9dea-4d4d4594199b |
| Rulename | Vulnerable Machines related to OMIGOD CVE-2021-38647 |
| Description | This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647). Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below). Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal |
| Severity | High |
| Tactics | InitialAccess Execution |
| Techniques | T1190 T1203 |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml |
| Version | 1.0.3 |
| Arm template | 4d94d4a9-dc96-450a-9dea-4d4d4594199b.json |
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-38647'
| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine
triggerOperator: gt
version: 1.0.3
query: |
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-38647'
| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine
entityMappings:
- entityType: Host
fieldMappings:
- columnName: HostCustomEntity
identifier: FullName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml
queryFrequency: 1d
requiredDataConnectors: []
metadata:
source:
kind: Community
author:
name: Ajeet Prakash
categories:
domains:
- Security - Threat Protection
support:
tier: Community
tags:
- OMIGOD
- CVE-2021-38647
name: Vulnerable Machines related to OMIGOD CVE-2021-38647
queryPeriod: 1d
severity: High
kind: Scheduled
tactics:
- InitialAccess
- Execution
id: 4d94d4a9-dc96-450a-9dea-4d4d4594199b
description: |
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and
helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).
Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).
Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal'
relevantTechniques:
- T1190
- T1203
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d94d4a9-dc96-450a-9dea-4d4d4594199b')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d94d4a9-dc96-450a-9dea-4d4d4594199b')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Vulnerable Machines related to OMIGOD CVE-2021-38647",
"description": "'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal'\n",
"severity": "High",
"enabled": true,
"query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-38647'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess",
"Execution"
],
"techniques": [
"T1190",
"T1203"
],
"alertRuleTemplateName": "4d94d4a9-dc96-450a-9dea-4d4d4594199b",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Host"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml",
"templateVersion": "1.0.3",
"tags": [
"OMIGOD",
"CVE-2021-38647"
]
}
}
]
}