Log4j Vulnerability Detection

Solution: Apache Log4j Vulnerability Detection

Apache Log4j Vulnerability Detection Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.0.6
Author	Microsoft - support@microsoft.com
First Published	2021-12-15
Solution Folder	Apache Log4j Vulnerability Detection
Marketplace	Azure Marketplace · Rating: ★★★★☆ 3.5/5 (2 ratings) · Popularity: 🔵 Medium (78%)
Pre-requisites	Azure Web Application Firewall (WAF), Microsoft 365, Windows Server DNS, CiscoASA, PaloAlto-PAN-OS, Microsoft Entra ID, Azure Activity, Amazon Web Services, Azure Firewall, SquidProxy, Zscaler Private Access (ZPA), Syslog, Check Point, Microsoft Defender XDR

Microsoft's security research teams have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the Microsoft Security Response Center blog. This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.

For details on the required solutions, see the Pre-requisites section below.

Pre-requisites
Data Connectors
Tables Used
Content Items

Pre-requisites

This solution depends on 14 other solution(s):

Solution
Amazon Web Services
Azure Activity
Azure Firewall
Azure Web Application Firewall (WAF)
Check Point
CiscoASA
Microsoft 365
Microsoft Defender XDR
Microsoft Entra ID
PaloAlto-PAN-OS
SquidProxy
Syslog
Windows Server DNS
Zscaler Private Access (ZPA)

Data Connectors

This solution does not include its own data connectors but uses connectors from dependency solutions:

Windows DNS Events via AMA (dependency on Windows Server DNS)
Amazon Web Services (dependency on Amazon Web Services)
Amazon Web Services S3 (dependency on Amazon Web Services)
Amazon Web Services S3 WAF (dependency on Amazon Web Services)
Microsoft Entra ID (dependency on Microsoft Entra ID)
Azure Activity (dependency on Azure Activity)
Azure Firewall (dependency on Azure Firewall)
Cisco ASA via Legacy Agent (dependency on CiscoASA)
Cisco ASA/FTD via AMA (dependency on CiscoASA)
DNS (dependency on Windows Server DNS)
Microsoft Defender XDR (dependency on Microsoft Defender XDR)
Microsoft 365 (formerly, Office 365) (dependency on Microsoft 365)
[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent (dependency on PaloAlto-PAN-OS)
[Deprecated] Palo Alto Networks (Firewall) via AMA (dependency on PaloAlto-PAN-OS)
[Deprecated] Squid Proxy (dependency on SquidProxy)
Syslog via Legacy Agent (dependency on Syslog)
Syslog via AMA (dependency on Syslog)
Azure Web Application Firewall (WAF) (dependency on Azure Web Application Firewall (WAF))
[Deprecated] Zscaler Private Access (dependency on Zscaler Private Access (ZPA))

Tables Used

This solution queries 18 table(s) from its content items:

Table	Used By Content
`AADNonInteractiveUserSignInLogs`	Analytics, Workbooks
`AWSCloudTrail`	Analytics, Workbooks
`AzureActivity`	Analytics
`AzureDiagnostics`	Analytics, Hunting, Workbooks
`CommonSecurityLog`	Analytics, Hunting
`DeviceNetworkEvents`	Analytics, Hunting
`DnsEvents`	Analytics
`Event`	Analytics
`M365SecureScoreControls_CL`	Workbooks
`MDfEExposureScore_CL`	Workbooks
`MDfERecommendations_CL`	Workbooks
`MDfEVulnerabilitiesList_CL`	Workbooks
`OfficeActivity`	Analytics, Workbooks
`SecurityNestedRecommendation`	Analytics, Workbooks
`SigninLogs`	Analytics, Workbooks
`Syslog`	Hunting, Workbooks
`VMConnection`	Analytics, Hunting
`W3CIISLog`	Analytics, Workbooks

Internal Tables

The following 2 table(s) are used internally by this solution's content items:

Table	Used By Content
`SecurityAlert`	Workbooks
`SecurityIncident`	Workbooks

Content Items

This solution includes 17 content item(s):

Content Type	Count
Hunting Queries	10
Analytic Rules	4
Workbooks	2
Playbooks	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Azure WAF matching for Log4j vuln(CVE-2021-44228)	High	InitialAccess	`AzureDiagnostics`
Log4j vulnerability exploit aka Log4Shell IP IOC	High	CommandAndControl	`AADNonInteractiveUserSignInLogs` `AWSCloudTrail` `AzureActivity` `AzureDiagnostics` `CommonSecurityLog` `DeviceNetworkEvents` `DnsEvents` `Event` `OfficeActivity` `SigninLogs` `VMConnection` `W3CIISLog`
User agent search for log4j exploitation attempt	High	InitialAccess	`AADNonInteractiveUserSignInLogs` `AWSCloudTrail` `AzureDiagnostics` `OfficeActivity` `SigninLogs` `W3CIISLog`
Vulnerable Machines related to log4j CVE-2021-44228	High	InitialAccess, Execution	`SecurityNestedRecommendation`

Hunting Queries

Name	Tactics	Tables Used
Azure WAF Log4j CVE-2021-44228 hunting	InitialAccess	`AzureDiagnostics`
Linux security related process termination activity detected	DefenseEvasion	`Syslog`
Malicious Connection to LDAP port for CVE-2021-44228 vulnerability	CommandAndControl	`DeviceNetworkEvents` `VMConnection`
Network Connection to New External LDAP Server	InitialAccess	`CommonSecurityLog`
Possible Container Miner related artifacts detected	Impact, Execution	`Syslog`
Possible Linux attack toolkit detected via Syslog data	Reconnaissance, Execution	`Syslog`
Possible exploitation of Apache log4j component detected	Persistence, Execution	`Syslog`
Suspicious Base64 download activity detected	Persistence, Execution	`Syslog`
Suspicious Shell script detected	Persistence, Execution	`Syslog`
Suspicious manipulation of firewall detected via Syslog data	DefenseEvasion	`Syslog`

Workbooks

Name	Tables Used
Log4jImpactAssessment	`M365SecureScoreControls_CL` `MDfEExposureScore_CL` `MDfERecommendations_CL` `MDfEVulnerabilitiesList_CL` Internal use: `SecurityAlert` `SecurityIncident`
Log4jPostCompromiseHunting	`AADNonInteractiveUserSignInLogs` `AWSCloudTrail` `AzureDiagnostics` `OfficeActivity` `SecurityNestedRecommendation` `SigninLogs` `Syslog` `W3CIISLog`

Playbooks

Name	Description	Tables Used
Log4jIndicatorProcessor	These playbooks automate the ingest of threat indicators into the ThreatIntelligenceIndicator table ...	-

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.8	25-08-2025	Hardcoded the Watchlist description to resolve a deployment issue.
3.0.7	21-07-2025	Removed 'BatchImportToSentinel' & Updated 'Log4jIndicatorProcessor' Playbook to handle new STIX action.
3.0.6	21-01-2025	Fixed query in Analytical Rule UserAgentSearch_log4j.yaml.
3.0.5	26-07-2024	Updated Analytical Rule for missing TTP.
3.0.4	31-05-2024	Added missing AMA Data Connector reference in Analytic rules and Hunting Query.
3.0.3	15-02-2024	Updated the solution to fix Analytic Rules deployment issue.
3.0.2	07-02-2024	Updated solution description.
3.0.1	02-01-2024	Tagged for dependent solutions for deployment.
3.0.0	06-11-2023	Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID.