INTRODUCTION This post walks you through the log analysis of OMIGod vulnerability exploitation artefacts using kusto query language (KQL). The raw json logs from exploited linux device are fetched into Azure KQL data explorer using externaldata() function and analysed in KQL instance. I have been learning Kusto Query Language as part of my routine and KQL experts can write better queries to fine tune json data than what I have mentioned here The Linux device with vulnerable OMI version is configured with Linux Audit Daemon with the best practice configuration This blog explains about setting up your own private pwn lab for OMI exploitation This great Linux Logging with AuditD video by IppSec explains how to set up linux logging with Auditd. Below are all the comments by IppSec from the video (no comments from me and full credit goest to IppSec) Installing Auditd Downloading a good baseline ruleset from github Going over the baseline file to understand how logging works What th