diff --git a/Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/UserAgentSearch_log4j.yaml b/Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/UserAgentSearch_log4j.yaml index c585095ede7..f2c6aba0bf0 100644 --- a/Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/UserAgentSearch_log4j.yaml +++ b/Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/UserAgentSearch_log4j.yaml @@ -59,7 +59,7 @@ query: | (AzureDiagnostics | where Category in ("FrontdoorWebApplicationFirewallLog", "FrontdoorAccessLog", "ApplicationGatewayFirewallLog", "ApplicationGatewayAccessLog") | where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = column_ifexists("clientIp_s",clientIP_s), Type, column_ifexists("originalHost_s",host_s), Url = requestUri_s, HttpStatus = column_ifexists("httpStatusDetails_s",httpStatus_d), column_ifexists("transactionId_g",trackingReference_s), ruleName_s, ResourceType, ResourceId + | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = column_ifexists("clientIp_s",clientIP_s), Type, column_ifexists("originalHost_s",host_s), Url = requestUri_s, HttpStatus = column_ifexists("httpStatusDetails_s",httpStatus_d), column_ifexists("trackingReference_s",transactionId_g), ruleName_s, ResourceType, ResourceId ), ( W3CIISLog @@ -97,5 +97,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: Account -version: 1.0.8 +version: 1.0.9 kind: Scheduled diff --git a/Solutions/Apache Log4j Vulnerability Detection/Data/Solution_Log4j.json b/Solutions/Apache Log4j Vulnerability Detection/Data/Solution_Log4j.json index 109def11279..9367c121186 100644 --- a/Solutions/Apache Log4j Vulnerability Detection/Data/Solution_Log4j.json +++ b/Solutions/Apache Log4j Vulnerability Detection/Data/Solution_Log4j.json @@ -50,7 +50,7 @@ ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Apache Log4j Vulnerability Detection", "Metadata": "SolutionMetadata.json", - "Version": "3.0.5", + "Version": "3.0.6", "TemplateSpec": true, - "Is1Pconnector": true + "StaticDataConnector": true } \ No newline at end of file diff --git a/Solutions/Apache Log4j Vulnerability Detection/Package/3.0.6.zip b/Solutions/Apache Log4j Vulnerability Detection/Package/3.0.6.zip new file mode 100644 index 00000000000..97a4ff47a27 Binary files /dev/null and b/Solutions/Apache Log4j Vulnerability Detection/Package/3.0.6.zip differ diff --git a/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json b/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json index 0dfa0b4fc8d..c3112f48ef1 100644 --- a/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json +++ b/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json @@ -57,7 +57,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Apache Log4j Vulnerability Detection", - "_solutionVersion": "3.0.5", + "_solutionVersion": "3.0.6", "solutionId": "azuresentinel.azure-sentinel-solution-apachelog4jvulnerability", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -95,11 +95,11 @@ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6e575295-a7e6-464c-8192-3e1d8fd6a990','-', '2.0.6')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.8", + "analyticRuleVersion4": "1.0.9", "_analyticRulecontentId4": "29283b22-a1c0-4d16-b0a9-3460b655a46a", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '29283b22-a1c0-4d16-b0a9-3460b655a46a')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('29283b22-a1c0-4d16-b0a9-3460b655a46a')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','29283b22-a1c0-4d16-b0a9-3460b655a46a','-', '1.0.8')))]" + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','29283b22-a1c0-4d16-b0a9-3460b655a46a','-', '1.0.9')))]" }, "huntingQueryObject1": { "huntingQueryVersion1": "1.0.4", @@ -181,7 +181,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Log4jPostCompromiseHunting Workbook with template version 3.0.5", + "description": "Log4jPostCompromiseHunting Workbook with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -297,7 +297,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Log4jImpactAssessment Workbook with template version 3.0.5", + "description": "Log4jImpactAssessment Workbook with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -405,7 +405,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Log4jVulnerableMachines_AnalyticalRules Analytics Rule with template version 3.0.5", + "description": "Log4jVulnerableMachines_AnalyticalRules Analytics Rule with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -443,8 +443,8 @@ { "fieldMappings": [ { - "columnName": "VirtualMachine", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "VirtualMachine" } ], "entityType": "Host" @@ -503,7 +503,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureWAFmatching_log4j_vuln_AnalyticalRules Analytics Rule with template version 3.0.5", + "description": "AzureWAFmatching_log4j_vuln_AnalyticalRules Analytics Rule with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -531,10 +531,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "WAF", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "WAF" } ], "tactics": [ @@ -547,8 +547,8 @@ { "fieldMappings": [ { - "columnName": "MaliciousHost", - "identifier": "Address" + "identifier": "Address", + "columnName": "MaliciousHost" } ], "entityType": "IP" @@ -607,7 +607,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Log4J_IPIOC_Dec112021_AnalyticalRules Analytics Rule with template version 3.0.5", + "description": "Log4J_IPIOC_Dec112021_AnalyticalRules Analytics Rule with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -635,94 +635,94 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ] + ], + "connectorId": "Office365" }, { - "connectorId": "DNS", "dataTypes": [ "DnsEvents" - ] + ], + "connectorId": "DNS" }, { - "connectorId": "AzureMonitor(VMInsights)", "dataTypes": [ "VMConnection" - ] + ], + "connectorId": "AzureMonitor(VMInsights)" }, { - "connectorId": "CiscoASA", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CiscoASA" }, { - "connectorId": "CiscoAsaAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CiscoAsaAma" }, { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "AzureMonitor(WireData)", "dataTypes": [ "WireData" - ] + ], + "connectorId": "AzureMonitor(WireData)" }, { - "connectorId": "AzureMonitor(IIS)", "dataTypes": [ "W3CIISLog" - ] + ], + "connectorId": "AzureMonitor(IIS)" }, { - "connectorId": "AzureActivity", "dataTypes": [ "AzureActivity" - ] + ], + "connectorId": "AzureActivity" }, { - "connectorId": "AWS", "dataTypes": [ "AWSCloudTrail" - ] + ], + "connectorId": "AWS" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureFirewall" } ], "tactics": [ @@ -735,12 +735,12 @@ { "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -748,12 +748,12 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -761,8 +761,8 @@ { "fieldMappings": [ { - "columnName": "IPEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPEntity" } ], "entityType": "IP" @@ -821,7 +821,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAgentSearch_log4j_AnalyticalRules Analytics Rule with template version 3.0.5", + "description": "UserAgentSearch_log4j_AnalyticalRules Analytics Rule with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -838,7 +838,7 @@ "description": "This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern.\nLog4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/", "displayName": "User agent search for log4j exploitation attempt", "enabled": false, - "query": "let UserAgentString = dynamic ([\"${jndi:ldap:/\", \"${jndi:rmi:/\", \"${jndi:ldaps:/\", \"${jndi:dns:/\", \"${jndi:iiop:/\",\"${jndi:\",\"${jndi:nds:/\",\"${jndi:corba/\"]);\nlet UARegexMinimalString=dynamic(['{','%7b', '%7B']);\nlet UARegex = @'(\\\\$|%24)(\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\$|%24|}|%7D)';\n(union isfuzzy=true\n(OfficeActivity\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\n),\n(AzureDiagnostics\n| where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = column_ifexists(\"clientIp_s\",clientIP_s), Type, column_ifexists(\"originalHost_s\",host_s), Url = requestUri_s, HttpStatus = column_ifexists(\"httpStatusDetails_s\",httpStatus_d), column_ifexists(\"transactionId_g\",trackingReference_s), ruleName_s, ResourceType, ResourceId\n),\n(\nW3CIISLog\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, Url = csUriStem\n),\n(\nAWSCloudTrail\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\n),\n(SigninLogs\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n),\n(AADNonInteractiveUserSignInLogs \n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n),\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\n)\n)\n", + "query": "let UserAgentString = dynamic ([\"${jndi:ldap:/\", \"${jndi:rmi:/\", \"${jndi:ldaps:/\", \"${jndi:dns:/\", \"${jndi:iiop:/\",\"${jndi:\",\"${jndi:nds:/\",\"${jndi:corba/\"]);\nlet UARegexMinimalString=dynamic(['{','%7b', '%7B']);\nlet UARegex = @'(\\\\$|%24)(\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\$|%24|}|%7D)';\n(union isfuzzy=true\n(OfficeActivity\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\n),\n(AzureDiagnostics\n| where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = column_ifexists(\"clientIp_s\",clientIP_s), Type, column_ifexists(\"originalHost_s\",host_s), Url = requestUri_s, HttpStatus = column_ifexists(\"httpStatusDetails_s\",httpStatus_d), column_ifexists(\"trackingReference_s\",transactionId_g), ruleName_s, ResourceType, ResourceId\n),\n(\nW3CIISLog\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, Url = csUriStem\n),\n(\nAWSCloudTrail\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\n),\n(SigninLogs\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n),\n(AADNonInteractiveUserSignInLogs \n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n),\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\n)\n)\n", "queryFrequency": "P1D", "queryPeriod": "P1D", "severity": "High", @@ -849,52 +849,52 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SquidProxy", "dataTypes": [ "SquidProxy_CL" - ] + ], + "connectorId": "SquidProxy" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "WAF", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "WAF" }, { - "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ] + ], + "connectorId": "Office365" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "AWS", "dataTypes": [ "AWSCloudTrail" - ] + ], + "connectorId": "AWS" }, { - "connectorId": "AzureMonitor(IIS)", "dataTypes": [ "W3CIISLog" - ] + ], + "connectorId": "AzureMonitor(IIS)" } ], "tactics": [ @@ -907,8 +907,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -916,8 +916,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -925,8 +925,8 @@ { "fieldMappings": [ { - "columnName": "Account", - "identifier": "Name" + "identifier": "Name", + "columnName": "Account" } ], "entityType": "Account" @@ -985,7 +985,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WAF_log4j_vulnerability_HuntingQueries Hunting Query with template version 3.0.5", + "description": "WAF_log4j_vulnerability_HuntingQueries Hunting Query with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -1070,7 +1070,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NetworkConnectionldap_log4j_HuntingQueries Hunting Query with template version 3.0.5", + "description": "NetworkConnectionldap_log4j_HuntingQueries Hunting Query with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -1155,7 +1155,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Firewall_Disable_Activity_HuntingQueries Hunting Query with template version 3.0.5", + "description": "Firewall_Disable_Activity_HuntingQueries Hunting Query with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1240,7 +1240,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Apache_log4j_Vulnerability_HuntingQueries Hunting Query with template version 3.0.5", + "description": "Apache_log4j_Vulnerability_HuntingQueries Hunting Query with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -1325,7 +1325,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Process_Termination_Activity_HuntingQueries Hunting Query with template version 3.0.5", + "description": "Process_Termination_Activity_HuntingQueries Hunting Query with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -1410,7 +1410,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Suspicious_ShellScript_Activity_HuntingQueries Hunting Query with template version 3.0.5", + "description": "Suspicious_ShellScript_Activity_HuntingQueries Hunting Query with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -1495,7 +1495,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Base64_Download_Activity_HuntingQueries Hunting Query with template version 3.0.5", + "description": "Base64_Download_Activity_HuntingQueries Hunting Query with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -1580,7 +1580,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Container_Miner_Activity_HuntingQueries Hunting Query with template version 3.0.5", + "description": "Container_Miner_Activity_HuntingQueries Hunting Query with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -1665,7 +1665,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Linux_Toolkit_Detected_HuntingQueries Hunting Query with template version 3.0.5", + "description": "Linux_Toolkit_Detected_HuntingQueries Hunting Query with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -1750,7 +1750,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NetworkConnectionToNewExternalLDAPServer_HuntingQueries Hunting Query with template version 3.0.5", + "description": "NetworkConnectionToNewExternalLDAPServer_HuntingQueries Hunting Query with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -1835,7 +1835,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BatchImportToSentinel Playbook with template version 3.0.5", + "description": "BatchImportToSentinel Playbook with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -2054,7 +2054,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Log4jIndicatorProcessor Playbook with template version 3.0.5", + "description": "Log4jIndicatorProcessor Playbook with template version 3.0.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -2353,7 +2353,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.5", + "version": "3.0.6", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Apache Log4j Vulnerability Detection", @@ -2475,7 +2475,7 @@ { "kind": "Watchlist", "contentId": "[variables('_Campaign')]", - "version": "3.0.5" + "version": "3.0.6" }, { "kind": "Solution", diff --git a/Solutions/Apache Log4j Vulnerability Detection/ReleaseNotes.md b/Solutions/Apache Log4j Vulnerability Detection/ReleaseNotes.md index f47622e0d1a..ea78cc99337 100644 --- a/Solutions/Apache Log4j Vulnerability Detection/ReleaseNotes.md +++ b/Solutions/Apache Log4j Vulnerability Detection/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|----------------------------------------------------------------------------| +| 3.0.6 | 21-01-2025 | Fixed query in **Analytical Rule** UserAgentSearch_log4j.yaml | | 3.0.5 | 26-07-2024 | Updated **Analytical Rule** for missing TTP | | 3.0.4 | 31-05-2024 | Added missing AMA **Data Connector** reference in **Analytic rules** and **Hunting Query** | | 3.0.3 | 15-02-2024 | Updated the solution to fix **Analytic Rules** deployment issue |