Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Vulnerable Machines related to log4j CVE-2021-44228

Vulnerable Machines related to log4j CVE-2021-44228

Back
Id3d71fc38-f249-454e-8479-0a358382ef9a
RulenameVulnerable Machines related to log4j CVE-2021-44228
DescriptionThis query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228.

Log4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).

Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal

Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271
SeverityHigh
TacticsInitialAccess
Execution
TechniquesT1190
T1203
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/Log4jVulnerableMachines.yaml
Version1.0.3
Arm template3d71fc38-f249-454e-8479-0a358382ef9a.json
Deploy To Azure
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-44228'
| parse ResourceDetails with * 'virtualMachines/' VirtualMachine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMachine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend Timestamp = TimeGenerated

name: Vulnerable Machines related to log4j CVE-2021-44228
query: |
  SecurityNestedRecommendation
  | where RemediationDescription has 'CVE-2021-44228'
  | parse ResourceDetails with * 'virtualMachines/' VirtualMachine '"' *
  | summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMachine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
  | extend Timestamp = TimeGenerated  
queryFrequency: 1d
triggerOperator: gt
requiredDataConnectors: []
tags:
- Log4j
- CVE-2021-44228
- Log4shell
status: Available
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: VirtualMachine
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/Log4jVulnerableMachines.yaml
description: |
  'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228.
  Log4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).
   Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
   Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal
   Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271'  
version: 1.0.3
id: 3d71fc38-f249-454e-8479-0a358382ef9a
kind: Scheduled
relevantTechniques:
- T1190
- T1203
severity: High
tactics:
- InitialAccess
- Execution
queryPeriod: 1d