Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vulnerable Machines related to log4j CVE-2021-44228

Back
Id3d71fc38-f249-454e-8479-0a358382ef9a
RulenameVulnerable Machines related to log4j CVE-2021-44228
DescriptionThis query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228.

Log4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).

Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal

Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271
SeverityHigh
TacticsInitialAccess
Execution
TechniquesT1190
T1203
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/Log4jVulnerableMachines.yaml
Version1.0.3
Arm template3d71fc38-f249-454e-8479-0a358382ef9a.json
Deploy To Azure
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-44228'
| parse ResourceDetails with * 'virtualMachines/' VirtualMachine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMachine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend Timestamp = TimeGenerated
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: VirtualMachine
queryFrequency: 1d
name: Vulnerable Machines related to log4j CVE-2021-44228
tags:
- Log4j
- CVE-2021-44228
- Log4shell
kind: Scheduled
tactics:
- InitialAccess
- Execution
triggerThreshold: 0
query: |
  SecurityNestedRecommendation
  | where RemediationDescription has 'CVE-2021-44228'
  | parse ResourceDetails with * 'virtualMachines/' VirtualMachine '"' *
  | summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMachine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
  | extend Timestamp = TimeGenerated  
relevantTechniques:
- T1190
- T1203
triggerOperator: gt
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/Log4jVulnerableMachines.yaml
severity: High
status: Available
id: 3d71fc38-f249-454e-8479-0a358382ef9a
requiredDataConnectors: []
version: 1.0.3
description: |
  'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228.
  Log4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).
   Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
   Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal
   Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271'  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3d71fc38-f249-454e-8479-0a358382ef9a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3d71fc38-f249-454e-8479-0a358382ef9a')]",
      "properties": {
        "alertRuleTemplateName": "3d71fc38-f249-454e-8479-0a358382ef9a",
        "customDetails": null,
        "description": "'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228.\nLog4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271'\n",
        "displayName": "Vulnerable Machines related to log4j CVE-2021-44228",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "VirtualMachine",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/Log4jVulnerableMachines.yaml",
        "query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-44228'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMachine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMachine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess"
        ],
        "tags": [
          "Log4j",
          "CVE-2021-44228",
          "Log4shell"
        ],
        "techniques": [
          "T1190",
          "T1203"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}