CVE-2026-4447 (NetVanguard-cmd) is a high-severity vulnerability (CVSS 8.8) affecting multiple platforms including Windows, Docker, and cloud services. Detection should focus on exploitation attempts targeting vulnerable NetVanguard components and command execution patterns.

union (DeviceProcessEvents | where ProcessCommandLine contains "netvanguard" or ProcessCommandLine contains "CVE-2026-4447" or InitiatingProcessCommandLine contains "netvanguard" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountName), (SecurityEvent | where EventID == 4688 and (CommandLine contains "netvanguard" or CommandLine contains "CVE-2026-4447") | project TimeGenerated, Computer, CommandLine, ParentProcessName, Account), (CommonSecurityLog | where Activity contains "netvanguard" or RequestURL contains "CVE-2026-4447" or Message contains "netvanguard" | project TimeGenerated, DeviceName, Activity, RequestURL, SourceIP) | where Timestamp > ago(7d) or TimeGenerated > ago(7d)

Monitor for process creation events and command-line execution containing 'netvanguard' or CVE-2026-4447 references across Windows security logs, device process events, and network security logs. Correlate suspicious command execution with known exploitation patterns and unusual parent-child process relationships.

Windows, Docker, Azure, Office365, Chrome, Cisco, VMware, Python

T1190, T1059, T1203

Legitimate NetVanguard administrative tools and updates may trigger alerts; whitelist known administrative accounts and scheduled maintenance windows. Filter out benign references in logs, documentation, or security scanning tools that may mention the CVE identifier.

CVE-2025-61882 (NetVanguard-cmd) is a critical vulnerability with a CVSS score of 9.8 affecting multiple platforms including Windows, Azure, and Docker environments. Detection should focus on identifying exploitation attempts through command execution patterns and suspicious process activity associated with vulnerable NetVanguard components.

DeviceProcessEvents | where ProcessCommandLine contains "netvanguard" or ProcessCommandLine contains "netguard" or ProcessCommandLine matches regex @"(?i)(netvanguard|netguard).*cmd" | where InitiatingProcessName !in ("explorer.exe", "svchost.exe") | project Timestamp, DeviceName, ProcessId, ProcessCommandLine, InitiatingProcessName, InitiatingProcessId, AccountName | union (SecurityEvent | where EventID == 4688 and (CommandLine contains "netvanguard" or CommandLine contains "netguard") | project TimeGenerated, Computer, NewProcessId, CommandLine, ParentProcessName, SubjectUserName)

Monitor for process creation events containing NetVanguard-cmd references in command lines, focusing on suspicious parent processes and execution contexts. Cross-reference Windows Security Event logs (EventID 4688) and Microsoft Defender for Endpoint process events to identify exploitation attempts. Alert on any execution from non-standard locations or by unexpected service accounts.

Windows, Azure, Docker, VMware, Cisco, Chrome, Python, Office365

T1059.001, T1190, T1203

Legitimate NetVanguard administrative tools may trigger alerts; whitelist known administrative accounts and scheduled maintenance windows. Filter out expected system processes and legitimate security software. Tune based on organizational baseline of NetVanguard usage patterns. Consider excluding events from approved administrative workstations and change management systems.

CVE-2026-6560 is a critical remote buffer overflow vulnerability in H3C Magic B0 devices affecting the Edit_BasicSSID function in /goform/aspForm, with a CVSS score of 8.8. Detection should focus on identifying exploitation attempts targeting H3C devices through malicious web requests and subsequent process execution or network anomalies.

let timeframe = 7d; let h3c_indicators = dynamic(['Edit_BasicSSID', 'aspForm', 'goform']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteUrl has_any (h3c_indicators) or InitiatingProcessCommandLine has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (h3c_indicators) or FolderPath has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, ProcessCommandLine, ProcessId, FileName, FolderPath, AccountName, ActionType), (SecurityEvent | where TimeGenerated > ago(timeframe) | where Activity has_any (h3c_indicators) or CommandLine has_any (h3c_indicators) | project TimeGenerated, Computer, Activity, CommandLine, Account, EventID) | where ActionType !in ('ProcessTerminated', 'NetworkConnectionTerminated') or Activity !has 'Success' | limit 1000

Monitor for HTTP requests containing Edit_BasicSSID, aspForm, or goform path indicators targeting H3C devices. Correlate with subsequent suspicious process creation, command execution, or unexpected network connections from affected devices. Focus on remote connection attempts to H3C management interfaces and buffer overflow exploitation patterns in request payloads.

H3C Magic B0, H3C Magic B0 100R002

T1190, T1133, T1071

Legitimate H3C device management traffic and administrative configuration changes may trigger alerts; whitelist known H3C management IPs and scheduled maintenance windows. Filter out normal device firmware update processes and authenticated administrative sessions. Exclude internal network scanning and vulnerability assessment tools that may probe H3C devices.

CVE-2026-3055 is a critical vulnerability (CVSS 9.8) affecting NetVanguard-cmd with high exploitation probability (EPSS 55.7%). Detection should focus on identifying exploitation attempts and suspicious command execution patterns associated with this vulnerability.

DeviceProcessEvents | where ProcessCommandLine contains "netvanguard" or ProcessCommandLine matches regex @"(?i)(netvanguard|cve.?2026.?3055)" | where InitiatingProcessName !in ("explorer.exe", "svchost.exe") | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessName, InitiatingProcessId | union (SecurityEvent | where EventID == 4688 and CommandLine contains "netvanguard" | project TimeGenerated, Computer, Account, CommandLine, ParentProcessName) | union (CommonSecurityLog | where Activity contains "NetVanguard" or RequestURL contains "netvanguard" | project TimeGenerated, SourceIP, DestinationIP, Activity, RequestURL)

Monitor for process creation events containing 'netvanguard' or CVE-2026-3055 references in command lines, excluding legitimate system processes. Cross-correlate with network logs for suspicious communication patterns and web requests related to the vulnerability.

NetVanguard-cmd, Windows, Azure, Office365

T1190, T1059

Legitimate NetVanguard administrative tools and updates may trigger alerts; whitelist known administrative accounts and scheduled maintenance windows. Filter out benign security scanning tools that may reference CVE identifiers in logs.

Apache ActiveMQ Classic is experiencing active exploitation of CVE-2026-34197, a high-severity remote code execution vulnerability (CVSS 8.8) that has been added to CISA's Known Exploited Vulnerabilities catalog. Detection should focus on identifying exploitation attempts targeting ActiveMQ services and suspicious process execution patterns associated with successful compromise.

let ActiveMQPorts = dynamic([61616, 5672, 8161]); let SuspiciousProcesses = dynamic(['cmd.exe', 'powershell.exe', 'bash', 'sh', 'python.exe', 'java.exe']); CommonSecurityLog | where DestinationPort in (ActiveMQPorts) and Activity contains 'CVE-2026-34197' or RequestURL contains 'activemq' | union (DeviceProcessEvents | where InitiatingProcessName in (SuspiciousProcesses) and ProcessName in (SuspiciousProcesses) and DeviceId in (DeviceNetworkEvents | where RemotePort in (ActiveMQPorts) | project DeviceId)) | project TimeGenerated, DeviceId, ProcessName, InitiatingProcessName, CommandLine, SourceIP, DestinationPort, Activity

Monitor network traffic to known ActiveMQ ports (61616, 5672, 8161) for exploitation attempts and correlate with suspicious child process execution (cmd.exe, powershell.exe, bash, python) spawned from Java processes or ActiveMQ services, indicating successful code execution post-exploitation.

Apache ActiveMQ Classic

T1190, T1203, T1059

Legitimate ActiveMQ administrative tools and monitoring solutions may trigger alerts; whitelist known management IPs and scheduled maintenance windows. Filter out expected Java subprocess spawning for normal ActiveMQ operations. Tune based on baseline process execution patterns in your environment.

CVE-2026-27597 is a critical vulnerability (CVSS 10.0) affecting NetVanguard-cmd with high exploit likelihood (EPSS 0.7%). Detection should focus on identifying exploitation attempts and suspicious command execution patterns associated with this vulnerability.

let suspiciousProcesses = dynamic(['cmd.exe', 'powershell.exe', 'pwsh.exe']); let suspiciousPatterns = dynamic(['netvanguard', 'cve-2026-27597', 'cve202627597']); DeviceProcessEvents | where ProcessCommandLine has_any (suspiciousPatterns) or (FileName in (suspiciousProcesses) and ProcessCommandLine contains_cs 'netvanguard') | where InitiatingProcessFileName !in ('explorer.exe', 'svchost.exe') | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, ProcessId, InitiatingProcessId | where Timestamp > ago(7d)

Monitor for process creation events containing CVE-2026-27597 or NetVanguard-cmd references in command lines. Flag suspicious command interpreters (cmd.exe, powershell.exe) executing with these indicators, excluding legitimate system processes. Cross-reference with network indicators and file modifications for confirmation.

Windows, Docker, VMware, Cisco, Azure, Office365, Chrome, Python

T1190, T1059

Legitimate administrative tools, security software, and development environments using 'cmd' or 'powershell' in normal operations may trigger alerts. Filter by known legitimate parent processes and exclude scheduled maintenance windows. Tune based on organizational baseline of command-line usage patterns.

CVE-2025-55315 (NetVanguard-cmd) is a critical vulnerability with a CVSS score of 9.9 that affects multiple platforms including Windows, Azure, and Docker environments. Detection should focus on identifying exploitation attempts through command execution patterns and unusual process behavior associated with vulnerable NetVanguard components.

DeviceProcessEvents | where ProcessCommandLine contains "netvanguard" or ProcessCommandLine contains "NetVanguard-cmd" or InitiatingProcessCommandLine contains "netvanguard" | where ProcessCommandLine matches regex @"(cmd\.exe|powershell\.exe|bash)" | project Timestamp, DeviceName, ProcessId, ProcessCommandLine, InitiatingProcessCommandLine, AccountName | union (SecurityEvent | where EventID == 4688 | where CommandLine contains "netvanguard" or CommandLine contains "NetVanguard-cmd" | project TimeGenerated, Computer, NewProcessId, CommandLine, ParentProcessName, Account) | union (CommonSecurityLog | where Activity contains "NetVanguard" or Message contains "CVE-2025-55315" | project TimeGenerated, DeviceName, Activity, Message, SourceIP)

Monitor for process creation events containing 'netvanguard' or 'NetVanguard-cmd' strings in command lines, particularly when spawned by or spawning cmd.exe, powershell.exe, or bash. Cross-reference with security logs and common security logs for exploitation indicators. Focus on unusual process hierarchies and command execution from unexpected parent processes.

Windows, Azure, Docker, VMware, Cisco, Chrome, Python, Office365

T1190, T1059, T1203

Legitimate NetVanguard administrative tools and updates may trigger alerts; whitelist known administrative accounts and scheduled maintenance windows. Filter out benign package managers and legitimate software deployment tools. Tune based on organizational baseline of NetVanguard usage patterns.

CVE-2026-26198 is a critical vulnerability (CVSS 9.8) affecting multiple platforms including Windows, Azure, and Docker environments. Detection should focus on exploitation attempts targeting vulnerable services and unusual process execution patterns associated with NetVanguard-cmd exploitation.

DeviceProcessEvents | where ProcessCommandLine contains "netguard" or ProcessCommandLine contains "CVE-2026-26198" or ProcessCommandLine matches regex @"(?i)(netguard|cmd.*exploit)" | join kind=inner (DeviceNetworkEvents | where RemotePort in (80, 443, 8080, 8443)) on DeviceId | project Timestamp, DeviceId, ProcessId, ProcessCommandLine, InitiatingProcessFileName, RemoteIP, RemotePort, ActionType | where Timestamp > ago(7d)

Monitor for process execution containing NetVanguard-cmd indicators or CVE-2026-26198 references in command lines. Correlate with suspicious network connections on common exploitation ports. Alert on unusual process spawning from web services or network-accessible applications.

Windows, Azure, Docker, Chrome, Cisco, VMware, Office365, Python

T1190, T1203, T1059

Legitimate NetVanguard or network management tools may trigger alerts; whitelist known administrative tools and scheduled maintenance processes. Filter out expected network connections from development/testing environments. Tune for your organization's baseline of legitimate process execution patterns.

CVE-2026-27507 is a critical vulnerability (CVSS 9.8) affecting NetVanguard-cmd with limited public exploitation data available. Detection should focus on identifying exploitation attempts targeting vulnerable NetVanguard installations and command execution patterns.

DeviceProcessEvents | where ProcessCommandLine contains "netvanguard" or ProcessCommandLine contains "CVE-2026-27507" | where InitiatingProcessName !in ("explorer.exe", "svchost.exe") | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessName, InitiatingProcessId | union (DeviceNetworkEvents | where RemoteUrl contains "netvanguard" or RemoteUrl contains "exploit" | project Timestamp, DeviceName, RemoteUrl, RemoteIP, ActionType)

Monitor for process execution containing NetVanguard-related keywords or CVE identifiers, filter out legitimate system processes, and correlate with suspicious network connections to external URLs. Alert on command-line invocations from non-standard parent processes indicating potential exploitation.

NetVanguard-cmd, Windows, Azure, Docker

T1190, T1059

Legitimate NetVanguard administrative tools and updates may trigger alerts; whitelist known management processes and scheduled maintenance windows. Filter out internal network traffic and authorized security scanning tools that may reference CVE identifiers in logs.

CVE-2025-11832 is a critical vulnerability (CVSS 9.8) affecting NetVanguard-cmd with limited public exploit availability. Detection should focus on exploitation attempts targeting vulnerable NetVanguard installations and command execution patterns.

let NetVanguardProcesses = dynamic(['netvanguard.exe', 'netvanguard-cmd.exe', 'cmd.exe']); let SuspiciousPatterns = dynamic(['powershell', 'cmd /c', 'cmd /k', 'certutil', 'bitsadmin', 'mshta', 'regsvcs', 'regasm']); DeviceProcessEvents | where ProcessName in (NetVanguardProcesses) or InitiatingProcessName in (NetVanguardProcesses) | where CommandLine has_any (SuspiciousPatterns) or CommandLine contains_cs '|' or CommandLine contains_cs '&' | where Timestamp > ago(7d) | project Timestamp, DeviceName, ProcessName, CommandLine, InitiatingProcessName, InitiatingProcessCommandLine, AccountName | union (DeviceNetworkEvents | where RemotePort in (80, 443, 8080, 8443) and InitiatingProcessName in (NetVanguardProcesses) | where Timestamp > ago(7d))

Monitor for suspicious process execution involving NetVanguard binaries combined with command-line indicators of exploitation (shell metacharacters, living-off-the-land binaries). Correlate with unusual network connections from NetVanguard processes to detect post-exploitation C2 communication.

NetVanguard-cmd, Windows, Azure

T1190, T1059

Legitimate administrative use of NetVanguard with command-line parameters; filter known maintenance scripts and authorized security scanning tools; exclude internal network communication to known management servers; tune based on baseline NetVanguard process behavior in your environment.

CVE-2026-5194 is a critical vulnerability (CVSS 9.1) affecting multiple technology stacks including Azure, Chrome, Docker, Office365, and Windows environments. Detection should focus on exploitation attempts and suspicious process execution patterns associated with known PoC exploitation.

let suspiciousProcesses = dynamic(['chrome.exe', 'docker.exe', 'powershell.exe', 'cmd.exe']); let suspiciousParents = dynamic(['chrome.exe', 'explorer.exe', 'winword.exe']); DeviceProcessEvents | where ProcessName in (suspiciousProcesses) | where ParentProcessName in (suspiciousParents) | where CommandLine contains any ('CVE-2026-5194', 'jenniferreire26', 'exploit', 'payload') or InitiatingProcessCommandLine contains any ('CVE-2026-5194', 'jenniferreire26') | project Timestamp, DeviceName, ProcessName, ParentProcessName, CommandLine, InitiatingProcessCommandLine, AccountName | union (SigninLogs | where RiskLevel == 'high' or ConditionalAccessStatus == 'failure' | where TimeGenerated > ago(24h)) | union (CommonSecurityLog | where DeviceProduct in ('Chrome', 'Docker', 'Cisco') | where Activity contains 'exploit' or Message contains 'CVE-2026-5194')

Monitor for suspicious process execution chains originating from browsers, office applications, or container runtimes with command lines referencing the CVE identifier or known PoC repository names. Correlate with failed authentication attempts and network-based indicators from security appliances. Focus on anomalous child processes spawned from typically benign parents.

Google Chrome, Docker, Cisco Systems, Microsoft Windows, Microsoft Office 365, Microsoft Azure, VMware, Python

T1190, T1203, T1059

Legitimate security testing and vulnerability scanning tools may trigger alerts; whitelist authorized security assessment activities. Development environments running Docker and Python may generate false positives; consider excluding dev VLANs or tagged machines. Filter out routine Windows updates and Office 365 service operations. Tune based on organizational baseline of normal Chrome and container usage patterns.

CVE-2025-59536 (NetVanguard-cmd) is a high-severity vulnerability (CVSS 8.8) affecting multiple platforms including Windows, Docker, and cloud environments. Detection should focus on exploitation attempts targeting vulnerable NetVanguard components and command execution patterns.

let suspiciousProcesses = dynamic(['cmd.exe', 'powershell.exe', 'bash', 'sh']); let netVanguardPaths = dynamic(['netvanguard', 'nv-cmd', 'vanguard']); DeviceProcessEvents | where ProcessCommandLine has_any (netVanguardPaths) or (InitiatingProcessCommandLine has_any (netVanguardPaths) and FileName in (suspiciousProcesses)) | where Timestamp > ago(7d) | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, ProcessId, InitiatingProcessId | union (SecurityEvent | where EventID == 4688 and (CommandLine has_any (netVanguardPaths) or ParentImage has_any (netVanguardPaths)) | project Timestamp, Computer, ParentImage, CommandLine, NewProcessId, ParentProcessId) | union (CommonSecurityLog | where Activity contains 'NetVanguard' or RequestURL contains 'netvanguard' | project TimeGenerated, SourceIP, DestinationIP, Activity, RequestURL, Message)

Monitor for process execution involving NetVanguard-cmd components combined with suspicious child processes (cmd.exe, powershell.exe, bash, sh). Track both direct execution and parent-child process relationships. Correlate with network indicators and application logs for exploitation attempts.

Windows, Docker, Azure, VMware, Cisco, Chrome, Office365, Python

T1190, T1059, T1203

Legitimate NetVanguard administrative tools and updates may trigger alerts; whitelist known maintenance windows and authorized administrative accounts. Filter out expected command-line arguments used in normal operations. Tune based on organizational NetVanguard deployment patterns.

CVE-2026-6056 has been rejected and withdrawn by the CVE Numbering Authority and should not be used for vulnerability tracking or detection purposes. No detection is warranted for this invalid CVE identifier.

// This CVE has been rejected/withdrawn - no detection query applicable
// SecurityEvent
// | where 1==0

No detection logic applicable. CVE-2026-6056 is a rejected/withdrawn CVE identifier with no valid vulnerability data, CVSS score of 0.0, and no associated attack techniques or affected products.

N/A

N/A

This CVE should be disregarded entirely. Any references to CVE-2026-6056 in vulnerability databases or scanning tools should be treated as data quality issues rather than actual security threats. No tuning is necessary as no detection is warranted.

CVE-2026-41242 is a code injection vulnerability in protobufjs versions before 8.0.1 and 7.5.5 that allows attackers to inject arbitrary code through protobuf definition 'type' fields, which executes during object decoding. This vulnerability affects applications using vulnerable protobufjs libraries across multiple platforms including Azure, Docker, and Windows environments.

union (DeviceProcessEvents | where ProcessCommandLine contains_cs "protobufjs" or ProcessCommandLine contains_cs "proto" | where ProcessCommandLine matches regex @"(eval|Function|exec|setTimeout|setInterval)\s*\(") , (DeviceFileEvents | where FileName endswith ".proto" or FileName endswith ".js" | where FolderPath contains "node_modules" and FolderPath contains "protobufjs") , (CommonSecurityLog | where DeviceAction == "Allowed" and RequestURL contains "protobufjs" and (RequestURL contains "8.0.0" or RequestURL contains "7.5.4" or RequestURL contains "7.5.3")) , (SecurityEvent | where EventID == 4688 and CommandLine contains_cs "npm" and CommandLine contains_cs "protobufjs" and CommandLine notcontains "8.0.1" and CommandLine notcontains "7.5.5") | extend CVE="CVE-2026-41242", Severity="High"

Detection focuses on identifying vulnerable protobufjs library usage through process execution patterns (eval/Function calls with proto-related arguments), file system artifacts (proto files in vulnerable node_modules paths), package manager activity installing vulnerable versions, and network indicators of vulnerable library downloads. Correlates process creation events with known vulnerable version strings.

protobufjs, Node.js applications, Azure App Services, Docker containers, Python applications using protobuf, Windows-based Node.js deployments

T1190, T1059

Legitimate protobuf compilation during development and CI/CD pipelines, npm package updates to patched versions (8.0.1, 7.5.5+), standard Node.js development with eval-like patterns in non-protobuf contexts, and routine dependency scanning tools may trigger alerts. Tune by excluding development machines, build servers, and whitelisting legitimate package manager operations.

CVE-2026-40948 affects apache-airflow-providers-keycloak by failing to validate OAuth 2.0 state parameters and implement PKCE, allowing attackers to perform login-CSRF and session fixation attacks. An attacker with Keycloak realm access can hijack victim sessions and harvest stored credentials from Airflow Connections.

DeviceProcessEvents | where ProcessCommandLine contains "airflow" or ProcessCommandLine contains "keycloak" | where ProcessCommandLine contains "login" or ProcessCommandLine contains "callback" | join kind=inner (DeviceNetworkEvents | where RemoteUrl contains "keycloak" or RemoteUrl contains "airflow" | where RemoteUrl contains "callback" and RemoteUrl !contains "state=") on DeviceId | project Timestamp, DeviceId, ProcessCommandLine, RemoteUrl, InitiatingProcessAccountName | where Timestamp > ago(7d)

Monitor for Airflow and Keycloak authentication processes that execute login or callback operations without proper OAuth 2.0 state parameter validation. Correlate process execution with network events showing callback URLs missing state parameters, indicating potential CSRF exploitation attempts.

Apache Airflow, apache-airflow-providers-keycloak, Keycloak

T1187, T1539, T1556

Legitimate Airflow login flows with properly formed state parameters should be whitelisted. Filter out internal testing environments and development instances. Exclude known service accounts performing automated authentication. Monitor for callback URLs that properly include state= parameters to reduce false positives.

CVE-2026-25917 affects Apache Airflow where DAG authors can craft malicious XCom payloads to execute arbitrary code in the webserver context. Detection focuses on identifying suspicious XCom payload creation and webserver code execution patterns in Airflow environments.

DeviceProcessEvents | where ProcessCommandLine contains_cs ("airflow", "python") and (ProcessCommandLine contains "xcom" or ProcessCommandLine contains "dag") | join kind=inner (DeviceProcessEvents | where ParentProcessName contains_cs ("airflow", "webserver")) on DeviceId, InitiatingProcessId | where InitiatingProcessCommandLine contains_cs ("exec", "eval", "__import__") | project Timestamp, DeviceName, ProcessId, ProcessCommandLine, ParentProcessName, InitiatingProcessCommandLine, AccountName | where Timestamp > ago(7d)

Monitor for Python/Airflow processes spawning child processes with suspicious execution patterns (exec, eval, imports) originating from Airflow webserver context. Correlate DAG-related process activity with code execution indicators to identify XCom payload exploitation attempts.

Apache Airflow

T1190, T1059

Legitimate Airflow DAG development and testing may trigger alerts; whitelist known development environments and scheduled DAG parsing activities. Filter out routine Airflow webserver restarts and normal XCom operations by trusted service accounts.

CVE-2026-30898 involves unsafe handling of dag_run.conf in Apache Airflow's BashOperator documentation, allowing unsanitized user input to escalate privileges and execute arbitrary code on worker nodes. Organizations using Airflow should detect suspicious DAG configurations and command execution patterns that exploit this vulnerability.

DeviceProcessEvents | where ProcessCommandLine contains_cs "dag_run.conf" or ProcessCommandLine matches regex @"bash.*\$\{.*dag_run\.conf.*\}" | where InitiatingProcessName in~ ("python.exe", "python", "airflow") | project Timestamp, DeviceName, ProcessId, ProcessCommandLine, InitiatingProcessName, InitiatingProcessCommandLine, AccountName | join kind=inner (DeviceProcessEvents | where ProcessName in~ ("bash", "sh", "cmd.exe", "powershell.exe") | project ParentProcessId, ProcessName as ChildProcess) on $left.ProcessId == $right.ParentProcessId | where Timestamp > ago(7d)

Detects process creation events where Python/Airflow processes spawn shell interpreters (bash, sh, cmd, powershell) with command lines containing unsanitized dag_run.conf variable references or template injection patterns. Correlates parent-child process relationships to identify privilege escalation attempts through BashOperator exploitation.

Apache Airflow, Python, Docker, Windows

T1548.004, T1059.006, T1190

Legitimate Airflow DAG executions using dag_run.conf in properly sanitized contexts may trigger alerts. Filter by known good Airflow service accounts, exclude DAGs from trusted development teams, and baseline normal dag_run.conf usage patterns in your environment. Consider whitelisting specific DAG IDs and execution contexts after validation.

CVE-2026-30912 affects Apache Airflow where SQL error stack traces are exposed via API responses despite the 'api/expose_stack_traces' configuration being set to false, potentially leaking sensitive information. Detection focuses on identifying API responses containing SQL exception details and stack trace patterns that indicate this vulnerability is being exploited or misconfigured.

CommonSecurityLog | where DeviceProduct contains "Airflow" or RequestURL contains "airflow" | where RequestURL contains "api/" | where ResponseBody contains "traceback" or ResponseBody contains "SQLException" or ResponseBody contains "sql.exc" or ResponseBody contains "OperationalError" or ResponseBody contains "ProgrammingError" | where ResponseStatus in ("200", "500") | project TimeGenerated, SourceIP, DestinationIP, RequestURL, ResponseStatus, ResponseBody, DeviceProduct | extend RiskLevel = case(ResponseBody contains "traceback" and ResponseBody contains "sql", "High", "Medium")

Monitor API endpoints in Airflow environments for HTTP responses containing SQL exception details, stack traces, or Python traceback information. Flag responses that include database error messages (SQLException, OperationalError, ProgrammingError) or traceback patterns, particularly when returned with 200 or 500 status codes from API endpoints, indicating potential information disclosure.

Apache Airflow, Apache Airflow 3.0.x, Apache Airflow 3.1.x

T1526, T1592

Development and testing environments may legitimately expose stack traces; filter by environment tags. Authorized security scanning tools may trigger this detection; whitelist known vulnerability scanners. API responses in non-production Airflow instances should be excluded. Consider tuning based on source IP reputation and expected API behavior patterns in your environment.

CVE-2026-32228 is a privilege escalation vulnerability in Apache Airflow where users with asset materialize permissions can trigger DAGs (Directed Acyclic Graphs) they lack authorization to access. This detection identifies suspicious DAG trigger activities from users with limited permissions that may indicate exploitation attempts.

CommonSecurityLog | where DeviceVendor == "Apache" and DeviceProduct == "Airflow" | where Activity contains "dag_trigger" or Activity contains "trigger" | where RequestClientApplication contains "api" or RequestClientApplication contains "ui" | where tolower(AdditionalExtensions) contains "materialize" | where tolower(AdditionalExtensions) !contains "admin" and tolower(AdditionalExtensions) !contains "owner" | summarize TriggerCount = count(), TriggeredDAGs = make_set(DestinationUserName) by SourceUserName, SourceIP, bin(TimeGenerated, 5m) | where TriggerCount > 2 | project TimeGenerated, SourceUserName, SourceIP, TriggerCount, TriggeredDAGs

Monitor Airflow API and UI logs for DAG trigger events initiated by users with only asset materialize permissions. Detect anomalous patterns where such users attempt to trigger multiple DAGs outside their authorization scope, indicating potential CVE-2026-32228 exploitation.

Apache Airflow

T1548, T1078

Legitimate admin or owner-level users triggering DAGs; scheduled DAG executions; users with proper dag_edit or dag_create permissions; service accounts with elevated privileges; expected batch DAG triggers during maintenance windows. Tune by excluding known service accounts and admin users.