← Back to SOC feed Coverage →

Devices with Log4j vulnerability alerts and additional other alert related context

kql MEDIUM Azure-Sentinel
AlertEvidence
exploithuntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-05T11:00:00Z · Confidence: medium

Hunt Hypothesis

Devices with Log4j vulnerability alerts may indicate potential exploitation by adversaries leveraging known vulnerabilities to execute arbitrary code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate compromised systems before lateral movement or data exfiltration occurs.

KQL Query

// Get any devices with Log4J related Alert Activity
let DevicesLog4JAlerts = AlertInfo
| where Title in~('Suspicious script launched',
'Exploitation attempt against Log4j (CVE-2021-44228)',
'Suspicious process executed by a network service',
'Possible target of Log4j exploitation (CVE-2021-44228)',
'Possible target of Log4j exploitation',
'Possible Log4j exploitation',
'Network connection seen in CVE-2021-44228 exploitation',
'Log4j exploitation detected',
'Possible exploitation of CVE-2021-44228',
'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',
'Possible source of Log4j exploitation'
'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j
'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt
)
// Join in evidence information
| join AlertEvidence on AlertId
| where DeviceId != ""
| summarize by DeviceId, Title;
// Get additional alert activity for each device
AlertEvidence
| where DeviceId in(DevicesLog4JAlerts)
// Add additional info
| join kind=leftouter AlertInfo on AlertId
| summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp, 1d)

Analytic Rule Definition

id: f0f222ae-a6c9-4992-9fdb-4b1601da244c
name: Devices with Log4j vulnerability alerts and additional other alert related context
description: |
  Microsoft has observed threat actors exploiting vulnerabilities associated with Log4J.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - AlertInfo
  - AlertEvidence
tactics:
- Vulnerability
query: |
  // Get any devices with Log4J related Alert Activity
  let DevicesLog4JAlerts = AlertInfo
  | where Title in~('Suspicious script launched',
  'Exploitation attempt against Log4j (CVE-2021-44228)',
  'Suspicious process executed by a network service',
  'Possible target of Log4j exploitation (CVE-2021-44228)',
  'Possible target of Log4j exploitation',
  'Possible Log4j exploitation',
  'Network connection seen in CVE-2021-44228 exploitation',
  'Log4j exploitation detected',
  'Possible exploitation of CVE-2021-44228',
  'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',
  'Possible source of Log4j exploitation'
  'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j
  'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt
  )
  // Join in evidence information
  | join AlertEvidence on AlertId
  | where DeviceId != ""
  | summarize by DeviceId, Title;
  // Get additional alert activity for each device
  AlertEvidence
  | where DeviceId in(DevicesLog4JAlerts)
  // Add additional info
  | join kind=leftouter AlertInfo on AlertId
  | summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp, 1d)

Required Data Sources

Sentinel TableNotes
AlertEvidenceEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Log4J/Devices with Log4j vulnerability alerts and additional other alert related context.yaml