Detecting and responding to Apache “Log4j 2” using Google Chronicle

Historical Raw Log Search Across The Enterprise
rule cve_2021_44228_execution {meta:tactic = “TA0002”description = “Identifies process execution using JNDI strings.”events:$event.metadata.event_type = “PROCESS_LAUNCH”$event.target.process.command_line = /.*\$\{jndi\:(ldap|rmi|ldaps|dns)\:.*\}.*/ nocase$event.principal.hostname = $hostnamecondition:$event}
rule cve_2021_44228_http {meta:tactic = "TA0002"technique = "T1059"description = "Identifies JNDI strings in network user agents or URIs."reference = "https://www.lunasec.io/docs/blog/log4j-zero-day/"events:$event.metadata.event_type = "NETWORK_HTTP"($event.network.http.user_agent = "({jndi:.*}|{env:.*}|:j}.*{)" or
$event.network.http.referral_url = "({jndi:.*}|{env:.*}|:j}.*{)" or
$event.target.url = "({jndi:.*}|{env:.*}|:j}.*{)")condition:$event}
Low prevalence destination Investigation in Chronicle

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store