Last month we published the Log4j Vulnerability Detection Microsoft Sentinel solution containing Analytics Rules and Hunting Queries to help users monitor, detect and investigate signals in Microsoft Sentinel related to the exploitation of the Apache Log4j / “Log4Shell” vulnerability.
We have now added additional resources to the Solution:
For users with the existing Solution installed, follow these steps to update the Solution:
For more details, refer to this guide.
For users who do not have the Solution installed, follow these steps:
This Workbook provides a consolidated view of all Security Incidents, Alerts and Asset Vulnerability information related to Log4j across multi-Tenant environments.
The first section provides an overview of Security Incidents and Security Alerts related to Log4j, allowing users to identify key insights such as:
The second section consolidates security posture and asset vulnerability information by pulling together:
1 – Create a Watchlist to store Log4j-related information and intelligence
The prevalence of tools and information feeds result in operational overheads for the SOC, maintaining a single consolidated source of vulnerability / threat reference information is the first essential step of impact assessment.
In this example, with reference to the Microsoft Guidance on Log4j we extracted the list of Log4j-relevant insights – such as: Alert Names, CVE IDs, Product Names, Impacted OS and more. This was stored in a CSV file and uploaded as a Watchlist.
2 – Centralized view across multiple Workspaces, Subscriptions and Tenants
The Workbook is catered to support all deployment variations – whether you have a single Workspace or a complex multi-Tenant / multi-Workspace deployment, the parameter selection bar enables you to define your desired view.
For multi-Tenant deployments or service providers, using Azure Lighthouse with Microsoft Sentinel enables scalable operations across the entire environment. In the example below of 5 subscriptions, 3 belong to Tenant A and 2 belong to Tenant B – with Azure Lighthouse enabled I can select them all to generate a consolidated view of Log4j’s impact.
3 – Select the Watchlist
The Log4j Watchlist generated earlier does not need to be stored and replicated in each individual Workspace. Simply store it in 1 Workspace and select that under the WatchlistWorkspace parameter then select the Watchlist from the dropdown list.
4 – Use the Workbook and customize where necessary
Once the parameters mentioned above are set correctly, the rest of the Workbook will populate accordingly. If you do not see results being returned, it could either be that (1) you have no Incidents or assets impacted by Log4j; or (2) you do not have the right data sources ingested into Microsoft Sentinel.
As with any Workbook, you have the flexibility to add, modify or delete sections to generate your desired view, for more information refer to our documentation here.
While the content shared above is Log4j centric, the underlying construct enables SOC teams to repurpose this for the next security crisis. By simply adding a new Watchlist containing insights specific to the new vulnerability or attack campaign, selecting the new Watchlist from the Campaign dropdown parameter, the same Workbook will now highlight Incidents and vulnerabilities related to the new campaign.
The Workbook has been created in a way to eliminate any hard coding of campaign information within the Workbook logic. An important capability used here to modify the original Microsoft Defender for Cloud Log4j vulnerability Workbook section, was the use of merging data from different sources (in this case, Azure Resource Graph and Log Analytics). We create 1 hidden Log Analytics query (get Watchlist information) and 1 hidden ARG query (get asset vulnerability information); and create a new Merge query, running an inner unique join on the CVE ID to render the list of vulnerable Log4j assets.
Microsoft Threat Intelligence Center (MSTIC) has also provided a list of IOCs related to this attack and is continuing to update them with new indicators as they are discovered: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample Data/Feeds/Log4j_IOC_List.csv
The new Log4j Solution update includes two Playbooks to automate the ingestion of these indicators into the ThreatIntelligenceIndicator table of the Microsoft Sentinel workspace. For detailed instructions on deploying these Playbooks refer to Using Azure Playbooks to import text-based threat indicators to Azure Sentinel - Microsoft Tech Comm... wherein:
Once deployed to your Microsoft Sentinel instance, these Playbooks will operate in tandem to import indicators published by MSTIC on a regular basis so you will always have the latest threat intelligence data.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.