Enabling the Log4j Vulnerability Exploit Analytics Rule for Microsoft Sentinel

There’s a new Analytics Rule for Microsoft Sentinel customers that monitors against the known IOCs for Log4j. This is available in the console to be enabled.

Log4j Analytics rule

The KQL query behind the Analytics Rule uses the externaldata operator to query against the Log4j_IOC_List.csv file that is continually being updated with newly discovered IP addresses. This file is located and maintained in the Microsoft Sentinel GitHub repository here: https://cda.ms/3tp.

Continually updated IP list

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Bi-Weekly Defender for Cloud Newsletter]

Author