Silverfort - Log4Shell Incident

Back


Id	d6abed70-4043-46da-9304-a98f3446fa5f
Rulename	Silverfort - Log4Shell Incident
Description	Vulnerability allows attackers to execute arbitrary code on affected systems by exploiting a flaw in the way Log4j handles log messages containing specially crafted strings
Severity	High
Tactics	InitialAccess
Techniques	T1190
Required data connectors	SilverfortAma
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/Log4Shell.yaml
Version	1.0.0
Arm template	d6abed70-4043-46da-9304-a98f3446fa5f.json

KQL

CommonSecurityLog 
| where DeviceVendor has 'Silverfort'
| where DeviceProduct has 'Admin Console'
| where DeviceEventClassID == "NewIncident"
| where Message has "Log4Shell"
| extend UserName = parse_json(replace('^""|""$', '', Message))['userName']

YAML

queryFrequency: 15m
requiredDataConnectors:
- connectorId: SilverfortAma
  dataTypes:
  - CommonSecurityLog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/Log4Shell.yaml
name: Silverfort - Log4Shell Incident
description: |
    'Vulnerability allows attackers to execute arbitrary code on affected systems by exploiting a flaw in the way Log4j handles log messages containing specially crafted strings'
severity: High
kind: Scheduled
triggerThreshold: 0
id: d6abed70-4043-46da-9304-a98f3446fa5f
version: 1.0.0
relevantTechniques:
- T1190
triggerOperator: gt
queryPeriod: 15m
tactics:
- InitialAccess
query: |-
  CommonSecurityLog 
  | where DeviceVendor has 'Silverfort'
  | where DeviceProduct has 'Admin Console'
  | where DeviceEventClassID == "NewIncident"
  | where Message has "Log4Shell"
  | extend UserName = parse_json(replace('^""|""$', '', Message))['userName']  
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: UserName
  entityType: Account

ARM