Blog Post

Microsoft Defender for Cloud Blog
2 MIN READ

How Defender for Cloud displays machines affected by Log4j vulnerabilities

melvynadam's avatar
melvynadam
Icon for Microsoft rankMicrosoft
Dec 13, 2021

When news breaks of a major security story, like the vulnerability in the open-source Apache logging library Log4j (CVE-2021-44228), vendors and organizations move as fast as they can to understand the issue, determine their exposure, and mitigate the risks.

 

The Microsoft Security Response Center was quick to release guidance and background on this issue. We continue to update that page as we, and the rest of the infosec community, gain a deeper understanding of the impact of this threat.

 

In situations like this, organizations that are using Microsoft Defender for Cloud can immediately begin investigations - even before there's a CVE number - with our Inventory tools as shown below.

 

In addition, our threat detection capabilities have already been expanded to ensure we're surfacing exploitation of CVE-2021-44228 in several relevant security alerts.

 

Inventory filters

Using inventory, you have two powerful ways to begin determining your exposure across your hybrid and multi-cloud resources:

 

 

A quick demo of how you'd search for all your resources to see which ones have Log4j installed is shown below. Of course, this doesn't replace a search of your codebase. There's also the possibility that software with integrated Log4j libraries won't appear in this list. But it's definitely helpful for initial triaging when a major incident is unfolding.

 

 

Search Azure Resource Graph data

Azure Resource Graph (ARG) provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. It's a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal.

 

ARG provides another way to query your resource data for resources found to be vulnerable to the Log4j vulnerability:

 

  1. Open Azure Resource Graph Explorer.

     

  2. Enter the following query and select Run query:

 

securityresources 
| where type =~ "microsoft.security/assessments/subassessments"
| extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract("(.+)/providers/Microsoft.Security", 1, id)
| extend Props = parse_json(properties)
| extend additionalData = Props.additionalData
| extend cves = additionalData.cve
| where isnotempty(cves) and array_length(cves) > 0
| mv-expand cves
| where tostring(cves) has "CVE-2021-44228"
| distinct parentResourceId

 

 

Learn more

For extensive guidance, workarounds, background, analysis of the vulnerability, and the latest updates, check the continually maintained post on the Microsoft Security Response Center (MSRC) blog.

Updated Feb 01, 2022
Version 8.0
  • HydrateAndy's avatar
    HydrateAndy
    Copper Contributor

    I have a question - I have been posting similar suggestions over the last couple of days and people are asking. Does this scan for binaries across an OS or does it simply look at the official software inventory as provided by the OS.

     

    We know that for example, not all software components listed on Windows Servers (Add/Remove) are representative of what services and executables have actually been installed by a vendor and associated Open Source tools.

  • Reza_Ameri's avatar
    Reza_Ameri
    Silver Contributor

    Thank you for sharing this is very valuable.

    I also hope to add Microsoft Defender signature for Windows Server devices running this service.

  • Tushar_Mudi's avatar
    Tushar_Mudi
    Copper Contributor

    Thank you for the KQL query.
    Is it possible to use "has_any" instead of "has" and do this ?

    I am getting an InvalidQuery error after I run this.

     

     

    securityresources 
    where type =~ "microsoft.security/assessments/subassessments"
    extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)"1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract("(.+)/providers/Microsoft.Security"1, id)
    extend Props = parse_json(properties)
    extend additionalData = Props.additionalData
    extend cves = additionalData.cve
    where isnotempty(cves) and array_length(cves) > 0
    mv-expand cves
    where tostring(cves) has_any ("CVE-2021-44228","CVE-2021-45046","CVE-2021-45105")