Last month we published the Log4j Vulnerability Detection Microsoft Sentinel solution containing Analytics Rules and Hunting Queries to help users monitor, detect and investigate signals in Microsoft Sentinel related to the exploitation of the Apache Log4j / “Log4Shell” vulnerability.
We have now added additional resources to the Solution:
- A Watchlist containing Log4j-relevant detections, alerts and CVE IDs
- A Log4j Impact Assessment Workbook for consolidation of Log4j-relevant insights into a single pane
- Two playbooks to automate the ingestion of Microsoft Threat Intelligence Center (MSTIC) provided list of IOCs
Installing or Updating the Solution
For users with the existing Solution installed, follow these steps to update the Solution:
- Find the Log4j Vulnerability Detection Solution in Content Hub and walkthrough the creation wizard again.
- The information panel will surface the currently installed solution version. Click on “View details”, which will show details of the new version (1.0.2) of this Solution.
- Click on “Create” and go through the process to manually update the Solution.
- After successful completion of the previous step, the information panel will get updated to reflect the new version that is installed.
For more details, refer to this guide.
For users who do not have the Solution installed, follow these steps:
- Find the Log4j Vulnerability Detection Solution in Content Hub and walkthrough the creation wizard.
Objective of the Workbook
This Workbook provides a consolidated view of all Security Incidents, Alerts and Asset Vulnerability information related to Log4j across multi-Tenant environments.
|
The first section provides an overview of Security Incidents and Security Alerts related to Log4j, allowing users to identify key insights such as:
|
|
|
The second section consolidates security posture and asset vulnerability information by pulling together:
|
 |
Setup
Pre-Requisites
- Install the Log4j Vulnerability Detection Solution in Content Hub (steps outlined above)
- To enable a consolidated multi-Tenant view, Azure Lighthouse needs to be onboarded
- (Optional) To leverage Microsoft Defender for Cloud asset vulnerability information, follow this guide to enable this data source
- (Optional) To leverage Microsoft 365 Defender Vulnerability and Secure Score information, follow this guide to ingest the data into Microsoft Sentinel
1 – Create a Watchlist to store Log4j-related information and intelligence
The prevalence of tools and information feeds result in operational overheads for the SOC, maintaining a single consolidated source of vulnerability / threat reference information is the first essential step of impact assessment.
In this example, with reference to the Microsoft Guidance on Log4j we extracted the list of Log4j-relevant insights – such as: Alert Names, CVE IDs, Product Names, Impacted OS and more. This was stored in a CSV file and uploaded as a Watchlist.
2 – Centralized view across multiple Workspaces, Subscriptions and Tenants
The Workbook is catered to support all deployment variations – whether you have a single Workspace or a complex multi-Tenant / multi-Workspace deployment, the parameter selection bar enables you to define your desired view.
For multi-Tenant deployments or service providers, using Azure Lighthouse with Microsoft Sentinel enables scalable operations across the entire environment. In the example below of 5 subscriptions, 3 belong to Tenant A and 2 belong to Tenant B – with Azure Lighthouse enabled I can select them all to generate a consolidated view of Log4j’s impact.
3 – Select the Watchlist
The Log4j Watchlist generated earlier does not need to be stored and replicated in each individual Workspace. Simply store it in 1 Workspace and select that under the WatchlistWorkspace parameter then select the Watchlist from the dropdown list.
4 – Use the Workbook and customize where necessary
Once the parameters mentioned above are set correctly, the rest of the Workbook will populate accordingly. If you do not see results being returned, it could either be that (1) you have no Incidents or assets impacted by Log4j; or (2) you do not have the right data sources ingested into Microsoft Sentinel.
As with any Workbook, you have the flexibility to add, modify or delete sections to generate your desired view, for more information refer to our documentation here.
Leveraging this setup for broader use
While the content shared above is Log4j centric, the underlying construct enables SOC teams to repurpose this for the next security crisis. By simply adding a new Watchlist containing insights specific to the new vulnerability or attack campaign, selecting the new Watchlist from the Campaign dropdown parameter, the same Workbook will now highlight Incidents and vulnerabilities related to the new campaign.
The Workbook has been created in a way to eliminate any hard coding of campaign information within the Workbook logic. An important capability used here to modify the original Microsoft Defender for Cloud Log4j vulnerability Workbook section, was the use of merging data from different sources (in this case, Azure Resource Graph and Log Analytics). We create 1 hidden Log Analytics query (get Watchlist information) and 1 hidden ARG query (get asset vulnerability information); and create a new Merge query, running an inner unique join on the CVE ID to render the list of vulnerable Log4j assets.
Automate ingestion of Microsoft Threat Intelligence Center (MSTIC) provided IOCs
Microsoft Threat Intelligence Center (MSTIC) has also provided a list of IOCs related to this attack and is continuing to update them with new indicators as they are discovered: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample Data/Feeds/Log4j_IOC_List.csv
The new Log4j Solution update includes two Playbooks to automate the ingestion of these indicators into the ThreatIntelligenceIndicator table of the Microsoft Sentinel workspace. For detailed instructions on deploying these Playbooks refer to Using Azure Playbooks to import text-based threat indicators to Azure Sentinel - Microsoft Tech Comm... wherein:
- Playbook 1 refers to Log4JIndicatorProcessor
- Playbook 2 refers to BatchImportToSentinel
- Note: You must deploy the BatchImportToSentinel Playbook before deploying the Log4JIndicatorProcessor Playbook
Once deployed to your Microsoft Sentinel instance, these Playbooks will operate in tandem to import indicators published by MSTIC on a regular basis so you will always have the latest threat intelligence data.