Update tvm-manage-Log4shell-guidance.md

Author: denisebmsft

defender-vulnerability-management/tvm-manage-Log4shell-guidance.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 06/29/2022
+ms.date: 06/14/2024
 ---
 
 # Learn how to manage the Log4Shell vulnerability in Microsoft Defender for Endpoint
@@ -25,11 +25,11 @@ The Log4Shell vulnerability is a remote code execution (RCE) vulnerability found
 > [!NOTE]
 > Refer to the blogs [Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability and](https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/) [Microsoft Security Response Center](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/) for guidance and technical information about the vulnerability and product specific mitigation recommendations to protect your organization.
 
-## Overview of discovery, monitoring and mitigation capabilities
+## Overview of discovery, monitoring, and mitigation capabilities
 
 Defender Vulnerability Management provides you with the following capabilities to help you identify, monitor, and mitigate your organizational exposure to the Log4Shell vulnerability:
 
-- **Discovery**: Detection of exposed devices, both Microsoft Defender for Endpoint onboarded devices as well as devices that have been discovered but aren't yet onboarded, is based on vulnerable software and vulnerable files detected on disk.
+- **Discovery**: Detection of exposed devices, both Microsoft Defender for Endpoint onboarded devices and devices that have been discovered but aren't yet onboarded, is based on vulnerable software and vulnerable files detected on disk.
 - **Threat awareness:** A consolidated view to assess your organizational exposure. This view shows your exposure at the device level and software level, and provides access to details on vulnerable files like, the last time it was seen, the last time it was executed and the last time it was executed with open ports. You can use this information to prioritize your remediation actions. It can take up to 24 hours for data related to exposed devices to appear on the dashboard.
 - **Mitigation options:** Apply mitigation options to help lower your exposure risk.
 - **Advanced hunting:** Use advanced hunting to return details for vulnerable log4j files identified on disk.
@@ -47,14 +47,16 @@ Defender Vulnerability Management provides you with the following capabilities t
 
 Embedded Defender Vulnerability Management capabilities, along with enabling Log4j detection, in the Microsoft Defender portal, will help you discover devices exposed to the Log4Shell vulnerability.
 
-Onboarded devices, are assessed using existing embedded Defender Vulnerability Management capabilities that can discover vulnerable software and files.
+Onboarded devices are assessed using existing embedded Defender Vulnerability Management capabilities that can discover vulnerable software and files.
 
-For detection on discovered but not yet onboarded devices, Log4j detection must be enabled. This will initiate probes in the same way device discovery actively probes your network. This includes probing from multiple onboarded endpoints (Windows 10+ and Windows Server 2019+ devices) and only probing within subnets, to detect devices that are vulnerable and remotely exposed to CVE-2021-44228.
+For detection on discovered but not yet onboarded devices, Log4j detection must be enabled. This initiates probes in the same way device discovery actively probes your network. Probing includes multiple onboarded endpoints (Windows 10+ and Windows Server 2019+ devices) and only probing within subnets to detect devices that are vulnerable and remotely exposed to CVE-2021-44228.
 
 To enable Log4 detection:
 
 1. Go to **Settings** > **Device discovery** > **Discovery setup**.
+
 2. Select **Enable Log4j2 detection (CVE-2021-44228)**.
+
 3. Select **Save**.
 
 :::image type="content" source="media/enable-log4j.png" alt-text="Screenshot of setting to enable log4j2 detection." lightbox="media/enable-log4j.png":::
@@ -95,7 +97,9 @@ This table describes the search capabilities supported platforms and versions:
 ## Learn about your Log4Shell exposure and mitigation options
 
 1. In the Microsoft Defender portal, go to **Vulnerability management** > **Weaknesses**.  
+
 2. Select **CVE-2021-44228**.
+
 3. Select **Open vulnerability page**.
 
 :::image type="content" source="media/open-vulnerability-page.png" alt-text="Screenshot of vulnerability page on the vulnerability management dashboard." lightbox="media/open-vulnerability-page.png":::
@@ -106,6 +110,7 @@ This table describes the search capabilities supported platforms and versions:
 The log4Shell vulnerability can be mitigated by preventing JNDI lookups on Log4j versions 2.10 - 2.14.1 with default configurations. To create this mitigation action, from the **Threat awareness dashboard**:
 
 1. Select **View vulnerability details**.
+
 2. Select **Mitigation options**.
 
 You can choose to apply the mitigation to all exposed devices or select specific onboarded devices. To complete the process and apply the mitigation on devices, select **Create mitigation action**.
@@ -139,18 +144,21 @@ In cases where the mitigation needs to be reverted, follow these steps:
 **_For Windows:_**
 
 1. Open an elevated PowerShell window.
+
 2. Run the following command:
 
- ```Powershell
+   ```Powershell
    [Environment]::SetEnvironmentVariable("LOG4J\_FORMAT\_MSG\_NO\_LOOKUPS", $null,[EnvironmentVariableTarget]::Machine)
-```
+   ```
 
 The change will take effect after the device restarts.
 
 **_For Linux:_**
 
 1. Open the file /etc/environment and delete the line LOG4J\_FORMAT\_MSG\_NO\_LOOKUPS=true
+
 2. Delete the file /etc/systemd/system.conf.d/log4j\_disable\_jndi\_lookups.conf
+
 3. Delete the file /etc/systemd/user.conf.d/log4j\_disable\_jndi\_lookups.conf
 
 The change will take effect after the device restarts.