CommonSecurityLog
| where DeviceVendor has 'Silverfort'
| where DeviceProduct has 'Admin Console'
| where DeviceEventClassID == "NewIncident"
| where Message has "Log4Shell"
| extend UserName = parse_json(replace('^""|""$', '', Message))['userName']
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: UserName
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: SilverfortAma
id: d6abed70-4043-46da-9304-a98f3446fa5f
severity: High
query: |-
CommonSecurityLog
| where DeviceVendor has 'Silverfort'
| where DeviceProduct has 'Admin Console'
| where DeviceEventClassID == "NewIncident"
| where Message has "Log4Shell"
| extend UserName = parse_json(replace('^""|""$', '', Message))['userName']
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/Log4Shell.yaml
kind: Scheduled
queryPeriod: 15m
version: 1.0.0
name: Silverfort - Log4Shell Incident
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1190
description: |
'Vulnerability allows attackers to execute arbitrary code on affected systems by exploiting a flaw in the way Log4j handles log messages containing specially crafted strings'
triggerOperator: gt