Microsoft Log4j Discovery
Microsoft has announced updates for cloud based defender to fight the Log4j vulnerability. Log4j has mostly been patched but can still affect some servers that could use help from Microsoft Defender. Since mid-December, it has been releasing updates for Microsoft Defender for 365 that add automated methods of detecting and fighting Log4j vulnerabilities. Now Defender can continuously watch for and identify vulnerabilities.
The latest version can find vulnerable Log4j library components as well as vulnerable installed software that use the Log4j library. Microsoft added a dedicated Log4j dashboard with a consolidated view of discovered vulnerabilities.
DeviceTvmSoftwareEvidenceBeta is a new schema the update introduces which brings up file-level findings from the disk and lets users correlate it with added context for hunting. Users can find vulnerabilities in installed programs with DeviceTvmSoftwareVulnerabilities in combination with DeviceTvmSoftwareEvidenceBeta.
These updates apply to 365, Microsoft Defender for Endpoint, and Microsoft Defender for Containers. In addition to Windows 10 and 11, the updates are compatible with Windows Server 2008, 2012, and 2016. Linux users can get them if they update Defender for Linux to version 101.52.57 (30.121092.15257.0) or later.
Microsoft Defender for Containers is a cloud-based protection plan that debuted in early December, designed specifically for protecting containers. The recent update lets it detect images vulnerable to Log4j. It automatically scans them when they’re pushed to an Azure container registry, pulled from one, or when they run on a Kubernetes cluster.
In the Azure portal, “Container Registry images should have vulnerability findings resolved” should appear under “Microsoft Defender for Cloud,” where Defender displays the vulnerable images. Users can also display just the vulnerable images currently running on a Kubernetes cluster, as well as view an Azure Resource Graph to get information about vulnerabilities across different clouds.
The latest ongoing investigation by Microsoft states false positives flagging by the defender 365.