What Changed
The AzureWAFmatching_log4j_vuln Analytic Rule (v1.0.5 to v1.0.6) had two broken column_ifexists fallback expressions in the KQL query targeting Azure Application Gateway and Front Door WAF logs (AzureDiagnostics).
Before (broken):
| extend details_message_s = column_ifexists("details_message_s", tostring(AdditionalFields.details_message_s))
After (fixed):
| extend details_msg_s = column_ifexists("details_msg_s", tostring(AdditionalFields.details_msg))
| extend details_message_s = column_ifexists("details_message_s", tostring(AdditionalFields.details_message))
Two distinct bugs were present:
- details_msg_s was never projected – the field was referenced in the where filter clause but never defined, causing null evaluation for that branch on every row.
- details_message_s fallback pointed to itself (AdditionalFields.details_message_s) rather than the unadorned field name (AdditionalFields.details_message), meaning the fallback never resolved correctly against AdditionalFields.
Detection Logic
- Data source: AzureDiagnostics filtered to ResourceProvider == “MICROSOFT.NETWORK” with Category in ApplicationGatewayFirewallLog or FrontdoorWebApplicationFirewallLog
- Core logic: Matches request URIs and WAF rule match details against a Log4j IOC watchlist; extracts the JNDI command payload via parse
- Entity mappings: IP address (MaliciousHost)
Security Impact
Any deployment running v1.0.5 of this Analytic Rule against Azure WAF logs had two silent detection gaps:
- Log4Shell (CVE-2021-44228) exploit strings present only in the details_msg or details_message WAF log fields were never matched – the where filter referencing these columns evaluated to false on every row due to null resolution.
- No alerts would have been generated for WAF blocks or detections that logged payload context exclusively in those fields.
Deployments targeting the requestUri_s path only were partially covered; payloads routed through WAF match detail fields were blind spots.
MITRE Mapping
- T1190 – Exploit Public-Facing Application (Log4Shell remote code execution via JNDI injection)
Affected Files
Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/AzureWAFmatching_log4j_vuln.yaml
(packaging artefacts: 3.0.9.zip, mainTemplate.json)