Attackers may be leveraging the Log4j vulnerability to execute arbitrary code and exfiltrate data through network requests, indicating potential compromise of critical systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ongoing exploitation attempts before they lead to data breaches or system control.
KQL Query
AlertInfo
| where Title in~('Suspicious script launched',
'Exploitation attempt against Log4j (CVE-2021-44228)',
'Suspicious process executed by a network service',
'Possible target of Log4j exploitation (CVE-2021-44228)',
'Possible target of Log4j exploitation',
'Possible Log4j exploitation',
'Network connection seen in CVE-2021-44228 exploitation',
'Log4j exploitation detected',
'Possible exploitation of CVE-2021-44228',
'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',
'Possible source of Log4j exploitation',
'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j
'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt
)
id: ef76733a-86ab-4592-b341-64a4b369f4b7
name: Alerts related to Log4j vulnerability
description: |
Microsoft has observed attackers exploiting vulnerabilities associated with Log4J.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertInfo
tactics:
- Vulnerability
query: |
AlertInfo
| where Title in~('Suspicious script launched',
'Exploitation attempt against Log4j (CVE-2021-44228)',
'Suspicious process executed by a network service',
'Possible target of Log4j exploitation (CVE-2021-44228)',
'Possible target of Log4j exploitation',
'Possible Log4j exploitation',
'Network connection seen in CVE-2021-44228 exploitation',
'Log4j exploitation detected',
'Possible exploitation of CVE-2021-44228',
'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',
'Possible source of Log4j exploitation',
'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j
'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt
)
Scenario: Scheduled System Maintenance Job Using Log4j
Description: A legitimate scheduled job (e.g., Windows Task Scheduler or cron job) uses Log4j for logging purposes during routine system maintenance.
Filter/Exclusion: Exclude events where the Log4j library is used for logging and the process is associated with a known maintenance task (e.g., system maintenance, backup, or patching).
Scenario: Admin Task Using Log4j for Debugging
Description: An administrator is using Log4j for debugging purposes in a legitimate administrative tool (e.g., PowerShell, Ansible, or Chef).
Filter/Exclusion: Exclude events where the Log4j usage is part of a known administrative task and the user has elevated privileges (e.g., user = admin, process = powershell.exe, or tool = ansible).
Scenario: Log4j Used in a Legacy Application for Logging
Description: A legacy enterprise application (e.g., Java-based ERP system) uses Log4j for logging and is still in active use.
Filter/Exclusion: Exclude events where the Log4j usage is part of a known legacy application (e.g., application = SAP, application = Oracle EBS, or application = JD Edwards) and the log activity is within expected operational bounds.
Scenario: Log4j Used in a Security Tool for Logging
Description: A security tool (e.g., Splunk, ELK Stack, or Graylog) uses Log4j for internal logging and is part of the enterprise security infrastructure.
Filter/Exclusion: Exclude events where the Log4j usage is part of a known security tool (e.g., tool = splunk, tool = elasticsearch, or `tool =