Microsoft Sentinel Log4j Ubiquiti Analytic Rule
I created a quick Analytic Rule for those using Ubiquiti logs with Microsoft Sentinel. First of all, I just took two existing rules and made a new one. To get the IOCs for Log4j published on the Sentinel GitHub page, I utilized the code from a recently published rule in Microsoft Sentinel. Read more about it on Rod Trent's post, Enabling the Log4j Vulnerability Exploit Analytics Rule for Microsoft Sentinel.
Second, I utilized code from the Ubiquiti - Connection to known malicious IP or C2 Analytics Rule in Microsoft Sentinel. For more information on setting up the Ubiquiti Solution in Microsoft Sentinel, check out TeachJing's YouTube video Ingest Ubiquiti Logs into Azure Sentinel.
The following .json (ARM Template) contains the rule you would need to import via Import from the Analytics blade in Microsoft Sentinel. It is pretty straightforward.
The following is just the KQL utilized in the rule, in case you want to create your own.
let malicious_ips = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstIpAddr in (malicious_ips)
| where DvcAction =~ 'Accepted'
| extend IPCustomEntity = SrcIpAddr