What Changed

The AzureWAFmatching_log4j_vuln Analytic Rule (v1.0.5 to v1.0.6) had two broken column_ifexists fallback expressions in the KQL query targeting Azure Application Gateway and Front Door WAF logs (AzureDiagnostics).

Before (broken):

| extend details_message_s = column_ifexists("details_message_s", tostring(AdditionalFields.details_message_s))

After (fixed):

| extend details_msg_s = column_ifexists("details_msg_s", tostring(AdditionalFields.details_msg))
| extend details_message_s = column_ifexists("details_message_s", tostring(AdditionalFields.details_message))

Two distinct bugs were present:

  1. details_msg_s was never projected – the field was referenced in the where filter clause but never defined, causing null evaluation for that branch on every row.
  2. details_message_s fallback pointed to itself (AdditionalFields.details_message_s) rather than the unadorned field name (AdditionalFields.details_message), meaning the fallback never resolved correctly against AdditionalFields.

Detection Logic

  • Data source: AzureDiagnostics filtered to ResourceProvider == “MICROSOFT.NETWORK” with Category in ApplicationGatewayFirewallLog or FrontdoorWebApplicationFirewallLog
  • Core logic: Matches request URIs and WAF rule match details against a Log4j IOC watchlist; extracts the JNDI command payload via parse
  • Entity mappings: IP address (MaliciousHost)

Security Impact

Any deployment running v1.0.5 of this Analytic Rule against Azure WAF logs had two silent detection gaps:

  • Log4Shell (CVE-2021-44228) exploit strings present only in the details_msg or details_message WAF log fields were never matched – the where filter referencing these columns evaluated to false on every row due to null resolution.
  • No alerts would have been generated for WAF blocks or detections that logged payload context exclusively in those fields.

Deployments targeting the requestUri_s path only were partially covered; payloads routed through WAF match detail fields were blind spots.

MITRE Mapping

  • T1190 – Exploit Public-Facing Application (Log4Shell remote code execution via JNDI injection)

Affected Files

Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/AzureWAFmatching_log4j_vuln.yaml
(packaging artefacts: 3.0.9.zip, mainTemplate.json)