Create Devices with Log4j vulnerability alerts and additional other alert related context.md
This commit is contained in:
dreadphones
GitHub
Родитель
7044b9bd91
Коммит
9eec1cf895
|
|
@ -0,0 +1,61 @@
|
|||
# Devices with Log4j vulnerability alerts and additional other alert related context
|
||||
Microsoft has observed threat actors exploiting vulnerabilities associated with Log4J.
|
||||
|
||||
## Query
|
||||
This query looks for devices that have alerts for suspected Log4J vulnerability explotation, and identifies other alerts that have been observed on the device within a given timeframe.
|
||||
```
|
||||
// Get any devices with Log4J related Alert Activity
|
||||
let DevicesLog4JAlerts = AlertInfo
|
||||
| where Title in~('Suspicious script launched',
|
||||
'Exploitation attempt against Log4j (CVE-2021-44228)',
|
||||
'Suspicious process executed by a network service',
|
||||
'Possible target of Log4j exploitation (CVE-2021-44228)',
|
||||
'Possible target of Log4j exploitation',
|
||||
'Possible Log4j exploitation',
|
||||
'Network connection seen in CVE-2021-44228 exploitation',
|
||||
'Log4j exploitation detected',
|
||||
'Possible exploitation of CVE-2021-44228',
|
||||
'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',
|
||||
'Possible source of Log4j exploitation'
|
||||
'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j
|
||||
'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt
|
||||
)
|
||||
// Join in evidence information
|
||||
| join AlertEvidence on AlertId
|
||||
| where DeviceId != ""
|
||||
| summarize by DeviceId, Title;
|
||||
// Get additional alert activity for each device
|
||||
AlertEvidence
|
||||
| where DeviceId in(DevicesLog4JAlerts)
|
||||
// Add additional info
|
||||
| join kind=leftouter AlertInfo on AlertId
|
||||
| summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp, 1d)
|
||||
```
|
||||
|
||||
|
||||
## Category
|
||||
|
||||
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
|
||||
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|
||||
|------------------------|----------|-------|
|
||||
| Initial access | | |
|
||||
| Execution | | |
|
||||
| Persistence | | |
|
||||
| Privilege escalation | | |
|
||||
| Defense evasion | | |
|
||||
| Credential Access | | |
|
||||
| Discovery | | |
|
||||
| Lateral movement | | |
|
||||
| Collection | | |
|
||||
| Command and control | | |
|
||||
| Exfiltration | | |
|
||||
| Impact | | |
|
||||
| Vulnerability | v | |
|
||||
| Exploit | | |
|
||||
| Misconfiguration | | |
|
||||
| Malware, component | | |
|
||||
| Ransomware | | |
|
||||
|
||||
## Contributor info
|
||||
|
||||
**Contributor:** Microsoft 365 Defender team
|
||||
Загрузка…
Ссылка в новой задаче