There’s a new Analytics Rule for Microsoft Sentinel customers that monitors against the known IOCs for Log4j. This is available in the console to be enabled.
The KQL query behind the Analytics Rule uses the externaldata operator to query against the Log4j_IOC_List.csv file that is continually being updated with newly discovered IP addresses. This file is located and maintained in the Microsoft Sentinel GitHub repository here: https://cda.ms/3tp.
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Bi-Weekly Defender for Cloud Newsletter]