Detecting and responding to Apache “Log4j 2” using Google Chronicle

Raw Log Search

Historical Raw Log Search Across The Enterprise

Detection Rules

rule cve_2021_44228_execution {meta:tactic = “TA0002”description = “Identifies process execution using JNDI strings.”events:$event.metadata.event_type = “PROCESS_LAUNCH”$event.target.process.command_line = /.*\$\{jndi\:(ldap|rmi|ldaps|dns)\:.*\}.*/ nocase$event.principal.hostname = $hostnamecondition:$event}
rule cve_2021_44228_http {meta:tactic = "TA0002"technique = "T1059"description = "Identifies JNDI strings in network user agents or URIs."reference = "https://www.lunasec.io/docs/blog/log4j-zero-day/"events:$event.metadata.event_type = "NETWORK_HTTP"($event.network.http.user_agent = "({jndi:.*}|{env:.*}|:j}.*{)" or
$event.network.http.referral_url = "({jndi:.*}|{env:.*}|:j}.*{)" or
$event.target.url = "({jndi:.*}|{env:.*}|:j}.*{)")condition:$event}

Identify Low Prevalence Events

Low prevalence destination Investigation in Chronicle

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

DEVEL — HTB walkthrough

Crypto is just a bunch of random numbers

Android and iOS cryptocurrency

Interacting with Tolar HashNET (part 2)

Cyber Security Skills Shortage

How I get Admin Panel…

Quantum Key Distribution for Cybersecurity

Introducing Threat Intel for Chronicle

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chronicle

Chronicle

More from Medium

Shooting Up: On-Prem to Cloud — Detecting “AADConnect” Creds Dump

Threat Modelling for DevSecOps

Attack Simulation (Why it is Important!) Part 2 — Get one’s ducks in a row

MITRE ATT&CK FRAMEWORK