Bulk upload Log4Shell IoC to Microsoft Sentinel Threat Intelligence

Log4Shell is an emerging threat and its exploit is still in the wild. As a SecOps analyst your job is to monitor your cloud assets ensure if there is any communication to known IoC you would have a proper action.

In this article, I’d like to share a simple script to help bulk upload known Log4Shell IoC to Microsoft Sentinel Threat Intelligence (TI) so you can monitor them.

Read the following article to learn more about the Microsoft Sentinel TI API:

Azure Sentinel Threat Intelligence API

Download New-AzThreatIntelligenceIndicator.ps1 and run the following script:

$WorkspaceRg = "azsec-corporate-rg"
$WorkspaceName = "azsec-shared-workspace"
$IoCSource = "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"
$date = Get-Date -UFormat "%Y_%m_%d_%H%M%S"
$fileName = "Log4j_IOC_List_$($date).csv"
$output = "$PSScriptRoot\$fileName"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($IoCSource, $output)

$iocs = Get-Content $output | Select-Object -Skip 1
foreach ($ioc in $iocs) {
  .\New-AzThreatIntelligenceIndicator.ps1 -WorkspaceRg $WorkspaceRg `
                                          -WorkspaceName $WorkspaceName `
                                          -IndicatorType "ipv4-addr" `
                                          -Pattern "ipv4-addr:value = '$ioc'" `
                                          -IndicatorDisplayName "log4jIoC-$ioc" `
                                          -IndicatorDescription "Log4j IoC" `
                                          -ThreatType "attribution","compromised" `
                                          -IsRevoked "false" `
                                          -Confidence 80 `
                                          -ValidFrom "2021-12-10T00:00:00Z" `
                                          -ValidUntil "2023-12-10T00:00:00Z" `
                                          -CreatedBy "azsec"
}

Provide your resource group, Log Analytics workspace name and IoC source. Currently I use this list

How about Watchlist?

Of course you can use Microsoft Sentinel Watchlist to store Log4j IoC. However, I think Threat Intelligence is more appropriate. You can easily upload CSV file to Watchlist.

If you have any feedback, please feel free to leave a comment in the Comment box or create a new GitHub issue here

This entry was posted in Monitoring & Detection, Security Automation and tagged , . Bookmark the permalink.

1 Response to Bulk upload Log4Shell IoC to Microsoft Sentinel Threat Intelligence

  1. jim-msft says:

    Gold article! I’ve shared this article to customers.

    Thanks AzSec for the great effort!

    Jim – MSFT CSA

Leave a Reply

Your email address will not be published.