Vulnerable Machines related to log4j CVE-2021-44228
Id | 3d71fc38-f249-454e-8479-0a358382ef9a |
Rulename | Vulnerable Machines related to log4j CVE-2021-44228 |
Description | This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below). Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271 |
Severity | High |
Tactics | InitialAccess Execution |
Techniques | T1190 T1203 |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/Log4jVulnerableMachines.yaml |
Version | 1.0.3 |
Arm template | 3d71fc38-f249-454e-8479-0a358382ef9a.json |
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-44228'
| parse ResourceDetails with * 'virtualMachines/' VirtualMachine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMachine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend Timestamp = TimeGenerated
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: VirtualMachine
queryFrequency: 1d
name: Vulnerable Machines related to log4j CVE-2021-44228
tags:
- Log4j
- CVE-2021-44228
- Log4shell
kind: Scheduled
tactics:
- InitialAccess
- Execution
triggerThreshold: 0
query: |
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-44228'
| parse ResourceDetails with * 'virtualMachines/' VirtualMachine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMachine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend Timestamp = TimeGenerated
relevantTechniques:
- T1190
- T1203
triggerOperator: gt
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/Log4jVulnerableMachines.yaml
severity: High
status: Available
id: 3d71fc38-f249-454e-8479-0a358382ef9a
requiredDataConnectors: []
version: 1.0.3
description: |
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228.
Log4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).
Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal
Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271'
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3d71fc38-f249-454e-8479-0a358382ef9a')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3d71fc38-f249-454e-8479-0a358382ef9a')]",
"properties": {
"alertRuleTemplateName": "3d71fc38-f249-454e-8479-0a358382ef9a",
"customDetails": null,
"description": "'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228.\nLog4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271'\n",
"displayName": "Vulnerable Machines related to log4j CVE-2021-44228",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "VirtualMachine",
"identifier": "HostName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/Log4jVulnerableMachines.yaml",
"query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-44228'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMachine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMachine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution",
"InitialAccess"
],
"tags": [
"Log4j",
"CVE-2021-44228",
"Log4shell"
],
"techniques": [
"T1190",
"T1203"
],
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}