The following KQL Queries helps in detecting Log4j software or the files present in Azure Servers from Azure Portal using Azure Monitor Service.
Detecting Log4J with KQL Log Queries in Azure Monitor:
Use the following KQL query to fetch and display the logs of where SoftwareName contains any "Log4Shell" sub string from selected target scope.
ConfigurationData | where SoftwareName contains "Log4Shell"
Use the following KQL query to fetch and display the logs of Software If it contains and "Log" sub string from selected target scope.
ConfigurationData | where SoftwareName contains "Log"
Use the following KQL query to fetch and display the logs of unique software used by Azure Servers from selected target scope.
ConfigurationData | distinct SoftwareName
More KQL log queries examples to find the vulnerability:
ConfigurationData | where Computer == "add_vm_name" | distinct FileSystemPath
ConfigurationData | where SoftwareName startswith "l" | distinct SoftwareName
ConfigurationData | where FileSystemPath contains "liblog4j2-java"
ConfigurationData | distinct FileSystemPath
ConfigurationData | where FileSystemPath contains "log"
ConfigurationData | where SoftwareName contains "liblog4j2-java"
Linux Command to check Log4J in Azure Linux VMs
command: dpkg --list | grep -i log4j