Which SIEM platforms have a CVE-2024-21887 detection rule?

df00tech provides CVE-2024-21887 (Ivanti Connect Secure Authenticated Command Injection (CVE-2024-21887)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Ivanti Connect Secure Authenticated Command Injection (CVE-2024-21887) (CVE-2024-21887)?

Detecting Ivanti Connect Secure Authenticated Command Injection (CVE-2024-21887) requires the following data sources: CommonSecurityLog, W3CIISLog, AzureDiagnostics, Syslog.

What severity and confidence is the CVE-2024-21887 detection?

The CVE-2024-21887 detection is rated critical severity with high confidence.

What are common false positives for CVE-2024-21887?

Common false positives for CVE-2024-21887 include: Legitimate administrative API calls to Ivanti management endpoints during maintenance windows; Automated vulnerability scanners performing routine scans against the appliance; Penetration testing or red team exercises targeting the Ivanti infrastructure.

CVE-2024-21887: Ivanti Connect Secure Authenticated Command Injection — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let ivanti_paths = dynamic(['/api/v1/totp/user-backup-code/', '/api/v1/system/maintenance/archiving/cloud-server-test-connection', '/api/v1/configuration/users/user-roles/user-role/', '/api/v1/license/keys-status/']);
let suspicious_methods = dynamic(['POST', 'PUT', 'GET']);
union CommonSecurityLog, W3CIISLog, AzureDiagnostics
| where TimeGenerated >= ago(7d)
| where DeviceProduct has_any ('Ivanti', 'Pulse Secure', 'PCS') or csUriStem has_any ('/dana-ws/', '/dana-admin/', '/dana/', '/api/v1/')
| where (
    (csUriStem matches regex @'/api/v1/[a-z\-/]+' and csMethod in (suspicious_methods)) or
    (csUriStem has '/totp/user-backup-code') or
    (csUriStem has 'archiving/cloud-server-test-connection') or
    (csUriStem has 'maintenance')
  )
| extend RequestPath = coalesce(csUriStem, RequestUri, Column7)
| extend SourceIP = coalesce(cIP, c_ip, CallerIpAddress, SourceIP)
| extend ResponseCode = coalesce(sc_status, csStatus, toint(ResultCode))
| extend CommandInjectionIndicators = case(
    RequestPath matches regex @'[;|&`$(){}\[\]]', 'Shell metacharacters in path',
    RequestPath matches regex @'%3[Bb2Cc7c8Ee]', 'URL-encoded shell metacharacters',
    RequestPath has_any('wget', 'curl', 'bash', 'sh', 'python', 'perl', 'nc', 'ncat', 'chmod', 'base64'), 'Command in path',
    ''
  )
| where ResponseCode in (200, 201, 204) or isnotempty(CommandInjectionIndicators)
| project TimeGenerated, SourceIP, RequestPath, ResponseCode, CommandInjectionIndicators, csUserAgent, DeviceProduct
| order by TimeGenerated desc

Detects exploitation of CVE-2024-21887 by monitoring Ivanti Connect Secure and Policy Secure appliance API endpoints for authenticated command injection patterns. Looks for suspicious API path access, shell metacharacters, encoded payloads, and known vulnerable endpoint patterns in web logs.

critical severity high confidence

Data Sources

CommonSecurityLog W3CIISLog AzureDiagnostics Syslog

Required Tables

CommonSecurityLog W3CIISLog AzureDiagnostics

False Positives

Legitimate administrative API calls to Ivanti management endpoints during maintenance windows
Automated vulnerability scanners performing routine scans against the appliance
Penetration testing or red team exercises targeting the Ivanti infrastructure
Health monitoring tools polling Ivanti API status endpoints

Splunk

spl

index=proxy OR index=network OR index=web sourcetype=access_combined OR sourcetype=cisco:asa OR sourcetype=pan:traffic OR sourcetype=ivanti:ics
| eval dest_host=coalesce(dest_host, host, cs_host)
| eval uri=coalesce(uri, cs_uri_stem, uri_path)
| eval src_ip=coalesce(src_ip, c_ip, src)
| eval http_method=coalesce(http_method, cs_method, method)
| eval status=coalesce(status, sc_status, http_status_code)
| where (uri LIKE "/api/v1/%" OR uri LIKE "/dana-ws/%" OR uri LIKE "/dana-admin/%")
| eval injection_indicators=case(
    match(uri, "[;|&`\$()\{\}\[\]]"), "shell_metachar_in_uri",
    match(uri, "%3[Bb2Cc7c8Ee]"), "url_encoded_shell_metachar",
    match(lower(uri), "(wget|curl|bash|python|perl|ncat|chmod|base64|mkfifo)"), "command_in_uri",
    match(lower(uri), "(totp/user-backup-code|archiving/cloud-server-test|maintenance/reset)"), "known_vuln_endpoint",
    1=1, "none"
  )
| where injection_indicators!="none" OR (http_method IN ("POST","PUT") AND uri LIKE "/api/v1/%" AND status IN ("200","201","204"))
| eval chain_bypass=if(match(uri, "(dana-na|dana-ws|saml|license)"), "possible_auth_bypass_chain", "direct_authenticated")
| stats count min(_time) as first_seen max(_time) as last_seen values(uri) as uris values(status) as statuses values(injection_indicators) as indicators by src_ip dest_host chain_bypass
| where count >= 1
| sort - count

Splunk detection for CVE-2024-21887 command injection against Ivanti Connect Secure and Policy Secure API endpoints. Correlates requests to vulnerable API paths with command injection indicators and identifies potential chaining with CVE-2023-46805 authentication bypass.

critical severity high confidence

Data Sources

Ivanti Connect Secure logs Web Access Logs Firewall Traffic Logs Proxy Logs

Required Sourcetypes

access_combined cisco:asa pan:traffic ivanti:ics

False Positives

Legitimate administrative API calls from known management IP ranges
Automated compliance scanning tools targeting Ivanti endpoints
Penetration testing activities with prior authorization
Ivanti internal health-check mechanisms accessing maintenance endpoints

Elastic Security (EQL)

eql

sequence by source.ip with maxspan=5m
  [network where event.category == "network" and network.direction == "inbound"
   and (url.path like "/dana-na/*" or url.path like "/dana-ws/*" or url.path like "/api/v1/*")
   and (http.response.status_code == 200 or http.response.status_code == 302)
   and not source.ip like "10.*" and not source.ip like "192.168.*"]
  [network where event.category == "network" and network.direction == "inbound"
   and url.path like "/api/v1/*"
   and (
     url.path like "*totp/user-backup-code*" or
     url.path like "*archiving/cloud-server-test*" or
     url.path like "*maintenance*" or
     url.query like "*%3B*" or url.query like "*%7C*" or url.query like "*%60*"
   )
   and http.response.status_code in (200, 201, 204)]

Elastic EQL sequence detection for CVE-2024-21887 chained with CVE-2023-46805. Identifies authentication bypass followed by command injection against known vulnerable Ivanti API endpoints within a 5-minute window from the same source IP.

critical severity high confidence

Data Sources

packetbeat filebeat-apache network-traffic

Required Tables

logs-* packetbeat-*

False Positives

Legitimate multi-step API workflows from authorized administrator IPs
Internal monitoring systems that poll Ivanti appliance status endpoints
Load balancer health checks that traverse multiple Ivanti endpoints sequentially
Authorized penetration tests generating sequential API requests

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  URL,
  "HTTP Method" AS http_method,
  "HTTP Response Code" AS response_code,
  CASE
    WHEN URL LIKE '%totp/user-backup-code%' THEN 'CVE-2024-21887 Known Vulnerable Endpoint'
    WHEN URL LIKE '%archiving/cloud-server-test%' THEN 'CVE-2024-21887 Known Vulnerable Endpoint'
    WHEN URL MATCHES REGEX '.*[;|&`\$()\{\}].*' THEN 'Shell Metacharacters Detected'
    WHEN URL MATCHES REGEX '.*(wget|curl|bash|python|chmod|mkfifo).*' THEN 'Command Execution Attempt'
    WHEN URL MATCHES REGEX '.*%3[Bb].*|.*%7[Cc].*|.*%60.*' THEN 'URL Encoded Shell Metachar'
    ELSE 'Suspicious API Access'
  END AS threat_indicator,
  username
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'Nginx', 'F5 BIG-IP', 'Palo Alto Networks Firewall')
  AND (
    URL LIKE '/api/v1/%'
    OR URL LIKE '/dana-ws/%'
    OR URL LIKE '/dana-admin/%'
    OR URL LIKE '/dana-na/%'
  )
  AND (
    URL LIKE '%totp/user-backup-code%'
    OR URL LIKE '%archiving/cloud-server-test%'
    OR URL LIKE '%maintenance%'
    OR URL MATCHES REGEX '.*[;|&`\$()\{\}\[\]].*'
    OR URL MATCHES REGEX '.*%3[Bb2Cc7c8Ee].*'
    OR "HTTP Response Code" IN (200, 201, 204)
  )
  AND STARTTIME > NOW() - 7 DAYS
ORDER BY starttime DESC
LIMIT 1000

QRadar AQL query to detect CVE-2024-21887 exploitation attempts against Ivanti Connect Secure appliances by analyzing HTTP access logs for known vulnerable API paths and command injection indicators.

critical severity medium confidence

Data Sources

Apache HTTP Server Nginx F5 BIG-IP Palo Alto Firewall

Required Tables

events

False Positives

Authorized administrative access to Ivanti API endpoints from known management subnets
Vulnerability scanning tools performing scheduled assessments
Ivanti-native automation scripts accessing maintenance API endpoints
Security monitoring tools that query API endpoints for baseline health data

Sumo Logic CSE

sql

_sourceCategory=network/proxy OR _sourceCategory=web/access
| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) .* \"(?<method>[A-Z]+) (?<uri>[^ ]+) HTTP/[\d\.]+\" (?<status>\d{3})"
| where uri matches "/api/v1/*" or uri matches "/dana-ws/*" or uri matches "/dana-admin/*" or uri matches "/dana-na/*"
| eval injection_flag = if(uri matches "*totp/user-backup-code*", "known_vuln_endpoint",
    if(uri matches "*archiving/cloud-server-test*", "known_vuln_endpoint",
    if(uri matches "*%3B*" or uri matches "*%7C*" or uri matches "*%60*", "url_encoded_injection",
    if(uri matches "*wget*" or uri matches "*curl*" or uri matches "*bash*" or uri matches "*chmod*", "cmd_in_uri", "suspicious_api"))))
| where injection_flag != "suspicious_api" or (method in ("POST", "PUT") and status in ("200", "201", "204"))
| count as request_count by src_ip, uri, method, status, injection_flag
| where request_count >= 1
| sort by request_count desc

Sumo Logic query detecting CVE-2024-21887 exploitation by parsing web access logs for requests to known vulnerable Ivanti API endpoints, URL-encoded shell metacharacters, and command injection strings in URI paths.

critical severity medium confidence

Data Sources

Web Access Logs Proxy Logs Network Logs

Required Tables

_sourceCategory=network/proxy _sourceCategory=web/access

False Positives

Legitimate management API calls from authorized Ivanti administrator accounts
Internal health monitoring agents polling API endpoints
Scheduled automation scripts that interact with Ivanti maintenance APIs
Red team or penetration testing activities during authorized assessment windows

Google Chronicle / SecOps

yaral

rule ivanti_cve_2024_21887_command_injection {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2024-21887 authenticated command injection against Ivanti Connect Secure and Policy Secure"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2024-21887"

  events:
    $req.metadata.event_type = "NETWORK_HTTP"
    $req.network.http.method = /POST|PUT|GET/
    (
      $req.network.http.request_url = /\/api\/v1\/totp\/user-backup-code/ or
      $req.network.http.request_url = /\/api\/v1\/.*archiving.*cloud-server-test/ or
      $req.network.http.request_url = /\/api\/v1\/.*maintenance/ or
      $req.network.http.request_url = /[;|&`\$(){}\[\]]/ or
      $req.network.http.request_url = /%(3[Bb]|7[Cc]|60)/ or
      $req.network.http.request_url = /(wget|curl|bash|python|chmod|mkfifo|base64)/
    )
    $req.network.http.response_code = /200|201|204/
    $req.principal.ip != ""

  condition:
    $req
}

Chronicle YARA-L rule detecting CVE-2024-21887 command injection attempts against Ivanti Connect Secure and Policy Secure appliances by matching known vulnerable API paths and injection payload patterns in HTTP requests.

critical severity high confidence

Data Sources

Chronicle HTTP Logs Network Telemetry Proxy Logs

Required Tables

NETWORK_HTTP

False Positives

Authorized API calls from known Ivanti administrator IP ranges
Security scanning tools performing vulnerability assessments
Ivanti support access sessions touching maintenance API endpoints
Automated orchestration tools interacting with Ivanti APIs for legitimate operations

CrowdStrike LogScale (CQL)

cql

#event_simpleName=NetworkConnectIP4 OR #event_simpleName=HttpRequest
| $falcon.metadata.eventType = ["HttpRequest", "NetworkConnectIP4"]
| filter(
    HttpPath = /\/api\/v1\/(totp\/user-backup-code|.*archiving.*cloud-server-test|.*maintenance|configuration\/users)/ or
    HttpPath = /[;|&`\$(){}\[\]]/ or
    HttpPath = /%(3[Bb]|7[Cc]|60|2[Ee]2[Ee])/ or
    HttpPath = /(wget|curl|bash|python3?|perl|ncat|mkfifo|chmod)[^a-zA-Z]/
  )
| HttpResponseCode in [200, 201, 204]
| groupby([RemoteAddressIP4, HttpPath, HttpMethod, HttpResponseCode, aid, ComputerName])
| rename RemoteAddressIP4 as src_ip, ComputerName as endpoint_hostname
| sort(field=_count, order=desc)

CrowdStrike Falcon Next-Gen SIEM query detecting CVE-2024-21887 exploitation by correlating HTTP requests to vulnerable Ivanti API paths with command injection payload patterns and successful HTTP response codes on monitored endpoints.

critical severity medium confidence

Data Sources

Falcon Sensor Network Events HttpRequest Events

Required Tables

HttpRequest NetworkConnectIP4

False Positives

Legitimate Ivanti API interactions from authorized management workstations with Falcon sensor
Vulnerability scanning or patch management tools monitored by Falcon
Ivanti-native maintenance scripts running on managed hosts
Authorized red team exercises with Falcon sensor deployed on target appliances

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2024-21887 Ivanti Connect Secure Authenticated Command Injection (CVE-2024-21887)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2024-21887

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox