Detecting and responding to Apache “Log4j 2” using Google Chronicle

Raw Log Search

Historical Raw Log Search Across The Enterprise

Detection Rules

rule cve_2021_44228_execution {meta:tactic = “TA0002”description = “Identifies process execution using JNDI strings.”events:$event.metadata.event_type = “PROCESS_LAUNCH”$ = /.*\$\{jndi\:(ldap|rmi|ldaps|dns)\:.*\}.*/ nocase$event.principal.hostname = $hostnamecondition:$event}
rule cve_2021_44228_http {meta:tactic = "TA0002"technique = "T1059"description = "Identifies JNDI strings in network user agents or URIs."reference = ""events:$event.metadata.event_type = "NETWORK_HTTP"($ = "({jndi:.*}|{env:.*}|:j}.*{)" or
$ = "({jndi:.*}|{env:.*}|:j}.*{)" or
$ = "({jndi:.*}|{env:.*}|:j}.*{)")condition:$event}

Identify Low Prevalence Events

Low prevalence destination Investigation in Chronicle




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

DEVEL — HTB walkthrough

Crypto is just a bunch of random numbers

Android and iOS cryptocurrency

Interacting with Tolar HashNET (part 2)

Cyber Security Skills Shortage

How I get Admin Panel…

Quantum Key Distribution for Cybersecurity

Introducing Threat Intel for Chronicle

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


More from Medium

Shooting Up: On-Prem to Cloud — Detecting “AADConnect” Creds Dump

Threat Modelling for DevSecOps

Attack Simulation (Why it is Important!) Part 2 — Get one’s ducks in a row