Detecting and responding to Apache “Log4j 2” using Google Chronicle

Raw Log Search

Historical Raw Log Search Across The Enterprise

Detection Rules

rule cve_2021_44228_execution {meta:tactic = “TA0002”description = “Identifies process execution using JNDI strings.”events:$event.metadata.event_type = “PROCESS_LAUNCH”$ = /.*\$\{jndi\:(ldap|rmi|ldaps|dns)\:.*\}.*/ nocase$event.principal.hostname = $hostnamecondition:$event}
rule cve_2021_44228_http {meta:tactic = "TA0002"technique = "T1059"description = "Identifies JNDI strings in network user agents or URIs."reference = ""events:$event.metadata.event_type = "NETWORK_HTTP"($ = "({jndi:.*}|{env:.*}|:j}.*{)" or
$ = "({jndi:.*}|{env:.*}|:j}.*{)" or
$ = "({jndi:.*}|{env:.*}|:j}.*{)")condition:$event}

Identify Low Prevalence Events

Low prevalence destination Investigation in Chronicle

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Registration Required: How To Improve Office Security in 5 Easy Steps

Kernel Exploitation

The Current and the Future States of DNS Security (2020)

The path to secure DNS

It’s Aleo!

Weekly Summary

VishwaCTF-22 => John the rocker (Cryptography)

NewsCrypto App V2 Release

User Accounts Not Requiring Passwords

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


More from Medium

Shooting Up: On-Prem to Cloud — Detecting “AADConnect” Creds Dump

Log4j RCE — An analysis and comparison of Software Composition Analysis tools in the market

Security Analyst Diaries: Detecting GCP CIS control violations with native GCP Cloud Audit Logging…

How To SOAR — Avoid complication while simplification