A few short weeks ago now during the initial reporting on Log4j, the Microsoft Sentinel team released a Solution in the recently christened Content Hub for Log4j. The first release (1.0.0) only supplied a couple Analytics Rules, despite
This particular solution has now been updated. The update brings the solution to version 1.0.1 and now includes 4 Analytics Rules and 10 Hunting Queries. HOWEVER, when a solution is updated, customers need to go through a manual operation to get the updated and newly provided content. If you haven’t done so yet, find the Log4j Vulnerability Detection solution in the Content Hub and walk through the creation wizard again.
And just a heads-up. The information pane for the solution differs from what you see in the details. As shown in the image below, the information pane shows the solution that you have installed. But, once you open the details, you’ll see that the solution actually has the new and update content (10 Hunting queries) if you’ve not updated already.
Once you go through the process to manually update the solution, the information pane will update to reflect your new, installed version. Unfortunately, there’s no way currently to know when the solution has an update.
P.S. You should note that this will duplicate content in the Microsoft Sentinel environment. This is still a Known Issue as outlined here: Duplicate Content After Deploying a Microsoft Sentinel Solution
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Bi-Weekly Defender for Cloud Newsletter]