What’s New: Detecting Apache Log4j vulnerabilities with Microsoft Sentinel

Published Dec 16 2021 06:21 PM 15.8K Views
Microsoft

Microsoft's security research teams have been tracking threats taking advantage of the remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell” and tracked as CVE-2021-44228. The vulnerability allows unauthenticated remote code execution and is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component.

 

A new Microsoft Sentinel solution has been added to the Content Hub that provides content to monitor, detect and investigate signals related to exploitation of the recently disclosed Log4j vulnerability.

 

content hub install 2.png

 

For technical and mitigation information about the vulnerability, please read:

 

Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation - Microsoft ...

 

 

9 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-3040391%22%20slang%3D%22en-US%22%3EWhat%E2%80%99s%20New%3A%20Detecting%20Apache%20Log4j%20vulnerabilities%20with%20Microsoft%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3040391%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft's%20security%20research%20teams%20have%20been%20tracking%20threats%20taking%20advantage%20of%20the%20remote%20code%20execution%20(RCE)%20vulnerability%20in%20Apache%20Log4j%202%20referred%20to%20as%20%E2%80%9CLog4Shell%E2%80%9D%20and%20tracked%20as%20CVE-2021-44228.%20The%20vulnerability%20allows%20unauthenticated%20remote%20code%20execution%20and%20is%20triggered%20when%20a%20specially%20crafted%20string%20provided%20by%20the%20attacker%20through%20a%20variety%20of%20different%20input%20vectors%20is%20parsed%20and%20processed%20by%20the%20Log4j%202%20vulnerable%20component.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20new%20Microsoft%20Sentinel%20solution%20has%20been%20added%20to%20the%20Content%20Hub%20that%20provides%20content%20to%20monitor%2C%20detect%20and%20investigate%20signals%20related%20to%20exploitation%20of%20the%20recently%20disclosed%20Log4j%20vulnerability.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22content%20hub%20install%202.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F334597i4349C12BBECAE0A9%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22content%20hub%20install%202.png%22%20alt%3D%22content%20hub%20install%202.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20technical%20and%20mitigation%20information%20about%20the%20vulnerability%2C%20please%20read%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F12%2F11%2Fguidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGuidance%20for%20preventing%2C%20detecting%2C%20and%20hunting%20for%20CVE-2021-44228%20Log4j%202%20exploitation%20-%20Microsoft%20Security%20Blog%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-3040391%22%20slang%3D%22en-US%22%3E%3CP%3EA%20new%20Microsoft%20Sentinel%20solution%20has%20been%20added%20to%20the%20Content%20Hub%20that%20provides%20content%20to%20monitor%2C%20detect%20and%20investigate%20signals%20related%20to%20exploitation%20of%20the%20recently%20disclosed%20Log4j%20vulnerability.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-12-16_18-26-29.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F334626i19EB833BB42CF8BB%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-12-16_18-26-29.png%22%20alt%3D%222021-12-16_18-26-29.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3040391%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAlerts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAnalytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EContent%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDetection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EInvestigation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESIEM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESolutions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Intelligence%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWhat's%20New%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3041465%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20New%3A%20Detecting%20Apache%20Log4j%20vulnerabilities%20with%20Microsoft%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3041465%22%20slang%3D%22en-US%22%3E%3CP%3Ewe%20need%20this%20in%20the%20CSP%20environment%20also%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3041332%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20New%3A%20Detecting%20Apache%20Log4j%20vulnerabilities%20with%20Microsoft%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3041332%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353267%22%20target%3D%22_blank%22%3E%40lightupdifire%3C%2FA%3E%26nbsp%3Bit%20looks%20like%20you're%20not%20ingesting%20WAF%20logs%20into%20Sentinel%3F%20This%20query%20will%20fail%20if%20you%20are%20not%20ingesting%20WAF%20logs%20(to%20see%20how%20to%20do%20this%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Ftechcommunity.microsoft.com%252Ft5%252Fazure-network-security-blog%252Fintegrating-azure-web-application-firewall-with-azure-sentinel%252Fba-p%252F1720306%26amp%3Bdata%3D04%257C01%257CSarah.Young%2540microsoft.com%257C958fa4d68cff4db352f708d9c177c0cd%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637753542485063513%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%26amp%3Bsdata%3DlYqtfvbiiZ1ZqRepjwVnVHg5v2nQ6GuK7I03ug%252BKNss%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EIntegrating%20Azure%20Web%20Application%20Firewall%20with%20Azure%20Sentinel%20-%20Microsoft%20Tech%20Community%3C%2FA%3E).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3041125%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20New%3A%20Detecting%20Apache%20Log4j%20vulnerabilities%20with%20Microsoft%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3041125%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20does%20not%20work%3A%26nbsp%3BAzure%20WAF%20Log4j%20CVE-2021-44228%20hunting%3C%2FP%3E%3CP%3EError%3A%26nbsp%3Bwhere'%20operator%3A%20Failed%20to%20resolve%20table%20or%20column%20or%20scalar%20expression%20named%20'originalRequestUriWithArgs_s'.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22lightupdifire_0-1639745662699.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F334674iA4FA737784C912A3%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22lightupdifire_0-1639745662699.png%22%20alt%3D%22lightupdifire_0-1639745662699.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3040937%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20New%3A%20Detecting%20Apache%20Log4j%20vulnerabilities%20with%20Microsoft%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3040937%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F768617%22%20target%3D%22_blank%22%3E%40p_fox%3C%2FA%3E%26nbsp%3Bsolutions%20can't%20be%20deployed%20into%20subscriptions%20from%26nbsp%3B%3CSPAN%3EMicrosoft%20Azure%20Cloud%20Solution%20Providers.%20However%2C%20you%20can%20manually%20add%20these%20detections%20into%20your%20workspace%20from%20our%20Github%20repo.%20All%20the%20detections%20and%20hunting%20queries%20are%20linked%20to%20in%20the%20Sentinel%20part%20of%20this%20blog%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F12%2F11%2Fguidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation%2F%23Sentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGuidance%20for%20preventing%2C%20detecting%2C%20and%20hunting%20for%20CVE-2021-44228%20Log4j%202%20exploitation%20-%20Microsoft%20Security%20Blog%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3040912%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20New%3A%20Using%20Microsoft%20Sentinel%20to%20detect%20Apache%20Log4j%20vulnerabilities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3040912%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20receiving%20an%20error%20on%20the%20subscription%20when%20trying%20to%20deploy%3A%20This%20offer%20is%20not%20available%20for%20subscriptions%20from%20Microsoft%20Azure%20Cloud%20Solution%20Providers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3072349%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20New%3A%20Detecting%20Apache%20Log4j%20vulnerabilities%20with%20Microsoft%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3072349%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F538161%22%20target%3D%22_blank%22%3E%40Sarah_Young%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20comment%2C%20we%20have%20WAF%2C%20but%20logs%20of%20it%20are%20stored%20in%20another%20subscription%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3072712%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20New%3A%20Detecting%20Apache%20Log4j%20vulnerabilities%20with%20Microsoft%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3072712%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20sharing%20and%20great%20to%20see%20Microsoft%20is%20contributing%20to%20protecting%20users%20even%20for%20non-Microsoft%20platforms.%3C%2FP%3E%3CP%3EHowever%2C%20based%20on%20my%20experience%2C%20in%20case%20you%20are%20looking%20for%20a%20better%20security%2C%20seriously%20consider%20switching%20to%20the%20latest%20version%20of%20IIS.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3123858%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20New%3A%20Detecting%20Apache%20Log4j%20vulnerabilities%20with%20Microsoft%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3123858%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3BIn%20the%20deployment%20template%20the%202%20playbooks%20make%20reference%20to%20a%20Log4j%20Vulnerability%20Detection%20API%20and%20requires%20credentials%20-%20where%20can%20I%20find%20more%20info%20about%20the%20API%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3140392%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20New%3A%20Detecting%20Apache%20Log4j%20vulnerabilities%20with%20Microsoft%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3140392%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F336449%22%20target%3D%22_blank%22%3E%40Pieterhancke%3C%2FA%3E%26nbsp%3Bthe%20API%20referenced%20in%20the%20playbooks%20is%20this%20one%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flogs%2Fdata-collector-api%23%3A~%3Atext%3DSample%2520requests.%25201%2520In%2520the%2520Azure%2520portal%252C%2520locate%2Cvalue%2520of%2520the%2520Shared%2520Key%2520variable.%2520See%2520More.%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Monitor%20HTTP%20Data%20Collector%20API%20-%20Azure%20Monitor%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Dec 16 2021 08:15 PM
Updated by:
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE