log4j-kql.md

NOT perfect queries but likely indicators to further investigate the hit hosts

You might want to add some of your own public IP's that you have in your cloud envs

MDE

requests to default ldap ports by possible impacted processes

DeviceNetworkEvents
| where RemotePort in ("389","636","3269","3268")
| where not(RemoteIP startswith "10." or  RemoteIP == "127.0.0.1" or RemoteIP == "::1" or RemoteIP startswith "::ffff:10.")
| where InitiatingProcessFileName has_any ("apache","w3wp.exe","java","tomcat","sapwebdisp.exe")
| summarize count() by InitiatingProcessFileName, RemoteIP, RemoteUrl, DeviceName

dns results to requests by possible impacted processes

DeviceEvents
| where ActionType contains "DnsQueryResponse"
| extend DnsQueryString=(parse_json(AdditionalFields).DnsQueryString)
| where InitiatingProcessFileName has_any ("apache","w3wp.exe","java","tomcat","sapwebdisp.exe")
| summarize count() by InitiatingProcessFileName,tostring(DnsQueryString)

hits to known IOCs based on Greynoise info and MS threat intel

let intel=((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8/raw/f1751cc072bd33256c0005021f33348c22aa76fc/Callback%2520Domains%2520log4j"]));
let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
let domains=intel |  extend domains=extract(@"([0-9a-z]+\.[0-9a-z]+\.[a-z]+)",0,URL)| distinct domains| where domains != "" | project domains;
let ips=intel | extend ips=extract(@"([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})",0,URL) | distinct ips | where ips != "" | project ips;
let ports = intel | extend ports=extract(@":([0-9]{2,5})\/",1,URL) | distinct ports | where ports != "" | project ports;
DeviceNetworkEvents
    | where Timestamp > datetime("2021-12-09")
    | where not(RemoteIP == "0.0.0.0")
    | where not(ipv4_is_match(RemoteIP, '127.0.0.0/8'))
    | where not(ipv4_is_match(RemoteIP, '10.0.0.0/8'))
    | where not(ipv4_is_match(RemoteIP, '172.16.0.0/12'))
    | where not(ipv4_is_match(RemoteIP, '192.168.0.0/16'))
    | where not(ipv4_is_match(RemoteIP, '169.254.0.0/16'))
    | where not(ipv4_is_match(RemoteIP, '6.66.0.0/16'))
    | where not(RemoteIP == "::1" or RemoteIP startswith "::ffff:10." or RemoteIP startswith "::ffff:192.168" or RemoteIP startswith "::ffff:172.16.")
    | where (RemoteUrl has_any ((domains)) 
        or RemoteIP has_any ((ips))) or RemoteIP in (IPList)
    // | where InitiatingProcessFileName has_any ("apache","w3wp.exe","java.exe","tomcat")
    | project Timestamp,InitiatingProcessFileName, LocalIP,InitiatingProcessAccountName,RemoteIP, RemoteUrl, RemotePort,DeviceName

MDE queries from Microsoft

DeviceProcessEvents
| where ProcessCommandLine has_all('${jndi') and ProcessCommandLine has_any('ldap', 'ldaps', 'http', 'rmi', 'dns', 'iiop')
//Removing FPs
| where not(ProcessCommandLine has_any('stackstorm', 'homebrew'))

DeviceProcessEvents
| where ProcessCommandLine matches regex @'(?i)\$\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\/\/(\$\{([a-z]){1,20}:([a-z]){1,20}\})?(([a-zA-Z0-9]|-){2,100})?(\.([a-zA-Z0-9]|-){2,100})?\.([a-zA-Z0-9]|-){2,100}\.([a-z0-9]){2,20}(\/).*}'     
or InitiatingProcessCommandLine matches regex @'(?i)\$\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\/\/(\$\{([a-z]){1,20}:([a-z]){1,20}\})?(([a-zA-Z0-9]|-){2,100})?(\.([a-zA-Z0-9]|-){2,100})?\.([a-zA-Z0-9]|-){2,100}\.([a-z0-9]){2,20}(\/).*}'

CloudAppEvents
| where Timestamp > datetime("2021-12-09")
| where UserAgent contains "jndi:" or AccountDisplayName contains "jndi:" or Application contains "jndi:" or AdditionalFields contains "jndi:"
| project ActionType, ActivityType, Application, AccountDisplayName, IPAddress, UserAgent, AdditionalFields

DeviceTvmSoftwareInventory
| where SoftwareName contains "log4j"
| project DeviceName, SoftwareName, SoftwareVersion

Sentinel

hits to known IOCs based on Greynoise info and MS threat intel

Zscaler

let intel=((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8/raw/f1751cc072bd33256c0005021f33348c22aa76fc/Callback%2520Domains%2520log4j"]));
let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
let domains=intel |  extend domains=extract(@"([0-9a-z]+\.[0-9a-z]+\.[a-z]+)",0,URL)| distinct domains| where domains != "" | project domains;
let ips=intel | extend ips=extract(@"([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})",0,URL) | distinct ips | where ips != "" | project ips;
let ports = intel | extend ports=extract(@":([0-9]{2,5})\/",1,URL) | distinct ports | where ports != "" | project ports;
CommonSecurityLog
| where TimeGenerated > datetime("2021-12-09")
| where DeviceVendor == "Zscaler"
| where RequestClientApplication contains "jndi" or DestinationIP in (ips) or RequestURL has_any (domains)  or DestinationIP in (IPList)

Fortinet

let intel=((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8/raw/f1751cc072bd33256c0005021f33348c22aa76fc/Callback%2520Domains%2520log4j"]));
let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
let domains=intel |  extend domains=extract(@"([0-9a-z]+\.[0-9a-z]+\.[a-z]+)",0,URL)| distinct domains| where domains != "" | project domains;
let ips=intel | extend ips=extract(@"([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})",0,URL) | distinct ips | where ips != "" | project ips;
let ports = intel | extend ports=extract(@":([0-9]{2,5})\/",1,URL) | distinct ports | where ports != "" | project ports;
CommonSecurityLog
| where TimeGenerated > datetime("2021-12-09")
| where DeviceVendor == "Fortinet"
| where DestinationIP in (ips) or RequestURL has_any (domains)  or DestinationIP in (IPList)

Check Point

let intel=((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8/raw/f1751cc072bd33256c0005021f33348c22aa76fc/Callback%2520Domains%2520log4j"]));
let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
let domains=intel |  extend domains=extract(@"([0-9a-z]+\.[0-9a-z]+\.[a-z]+)",0,URL)| distinct domains| where domains != "" | project domains;
let ips=intel | extend ips=extract(@"([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})",0,URL) | distinct ips | where ips != "" | project ips;
let ports = intel | extend ports=extract(@":([0-9]{2,5})\/",1,URL) | distinct ports | where ports != "" | project ports;
CommonSecurityLog
| where TimeGenerated > datetime("2021-12-09")
| where DeviceVendor == "Check Point"
| where DestinationIP in (ips) or RequestURL has_any (domains) or DestinationIP in (IPList)

Application gateway, regex tweak via @netrusion

AzureDiagnostics
| where TimeGenerated > datetime("2021-12-09")
| where ResourceType == "APPLICATIONGATEWAYS"
| where Category == "ApplicationGatewayAccessLog"
| where userAgent_s matches regex @"(%24|\$)(%7B|{).*(%4A|%6A|j|J).*?(%4E|%6e|n|N).*?(%44|%64|d|D).*?(%49|%69|i|I).*?(%3A|\:).*(%7D|})"  
    or requestUri_s matches regex @"(%24|\$)(%7B|{).*(%4A|%6A|j|J).*?(%4E|%6e|n|N).*?(%44|%64|d|D).*?(%49|%69|i|I).*?(%3A|\:).*(%7D|})" 
    or requestQuery_s matches regex @"(%24|\$)(%7B|{).*(%4A|%6A|j|J).*?(%4E|%6e|n|N).*?(%44|%64|d|D).*?(%49|%69|i|I).*?(%3A|\:).*(%7D|})"
| project TimeGenerated, ResourceId,clientIP_s, originalHost_s,httpStatus_d, userAgent_s,originalRequestUriWithArgs_s,requestUri_s,requestQuery_s