Log4Shell is an emerging threat and its exploit is still in the wild. As a SecOps analyst your job is to monitor your cloud assets ensure if there is any communication to known IoC you would have a proper action.

In this article, I’d like to share a simple script to help bulk upload known Log4Shell IoC to Microsoft Sentinel Threat Intelligence (TI) so you can monitor them.

Read the following article to learn more about the Microsoft Sentinel TI API:

Azure Sentinel Threat Intelligence API

Microsoft Sentinel (formerly aka Azure Sentinel) has a feature that allows you to create and manage custom Threat Intelligence (TI) indicators (aka IoC – Indicators of Compromise). There are requests from avid readers asking AzSec to write something about Microsoft … Continue reading

Download New-AzThreatIntelligenceIndicator.ps1 and run the following script:

$WorkspaceRg = “azsec-corporate-rg”

$WorkspaceName = “azsec-shared-workspace”

$IoCSource = “https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv”

$date = Get-Date -UFormat “%Y_%m_%d_%H%M%S”

$fileName = “Log4j_IOC_List_$($date).csv”

$output = $PSScriptRoot\$fileName

$wc = New-Object System.Net.WebClient

$wc.DownloadFile($IoCSource, $output)

$iocs = Get-Content $output | Select-Object -Skip 1

foreach ($ioc in $iocs) {

.\New-AzThreatIntelligenceIndicator.ps1 -WorkspaceRg $WorkspaceRg `

-WorkspaceName $WorkspaceName `

-IndicatorType “ipv4-addr” `

-Pattern “ipv4-addr:value = ‘$ioc‘” `

-IndicatorDisplayName “log4jIoC-$ioc `

-IndicatorDescription “Log4j IoC” `

-ThreatType “attribution”,“compromised” `

-IsRevoked “false” `

-Confidence 80 `

-ValidFrom “2021-12-10T00:00:00Z” `

-ValidUntil “2023-12-10T00:00:00Z” `

-CreatedBy “azsec”

}

Provide your resource group, Log Analytics workspace name and IoC source. Currently I use this list

How about Watchlist?

Of course you can use Microsoft Sentinel Watchlist to store Log4j IoC. However, I think Threat Intelligence is more appropriate. You can easily upload CSV file to Watchlist.