https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-find-out-CVE-2021-44228-Apache-Log4j-Remote/m-p/578142#M201486 <P>Hi Team&nbsp;</P><P>I am trying to find out recent&nbsp;CVE-2021-44228( log4j)</P><P>I tried "&nbsp;index=aws *log4j*", nut not sure how to find out and create an alert based on this Vulnerability.&nbsp;</P><P>Can anyone help me with the correct search and explain how to create an alert based on this vulnerability</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 13 Dec 2021 00:58:49 GMT jaibalaraman 2021-12-13T00:58:49Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-find-out-CVE-2021-44228-Apache-Log4j-Remote/m-p/578142#M201486 <P>Hi Team&nbsp;</P><P>I am trying to find out recent&nbsp;CVE-2021-44228( log4j)</P><P>I tried "&nbsp;index=aws *log4j*", nut not sure how to find out and create an alert based on this Vulnerability.&nbsp;</P><P>Can anyone help me with the correct search and explain how to create an alert based on this vulnerability</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 13 Dec 2021 00:58:49 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-find-out-CVE-2021-44228-Apache-Log4j-Remote/m-p/578142#M201486 jaibalaraman 2021-12-13T00:58:49Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-find-out-CVE-2021-44228-Apache-Log4j-Remote/m-p/578143#M201487 <P><A href="https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html" target="_blank">https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html</A></P><P>&nbsp;</P> Mon, 13 Dec 2021 02:52:55 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-find-out-CVE-2021-44228-Apache-Log4j-Remote/m-p/578143#M201487 bowesmana 2021-12-13T02:52:55Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-find-out-CVE-2021-44228-Apache-Log4j-Remote/m-p/578153#M201489 <P>Hi&nbsp;</P><P>Yes, i tried the page, but the search is not working for me&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jaibalaraman_0-1639375938969.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17206i1524D6068A5B35CA/image-size/medium?v=v2&amp;px=400" role="button" title="jaibalaraman_0-1639375938969.png" alt="jaibalaraman_0-1639375938969.png" /></span></P><P>Could you please me to understand why its not working&nbsp;</P><P>&nbsp;</P> Mon, 13 Dec 2021 06:12:48 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-find-out-CVE-2021-44228-Apache-Log4j-Remote/m-p/578153#M201489 jaibalaraman 2021-12-13T06:12:48Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-find-out-CVE-2021-44228-Apache-Log4j-Remote/m-p/578163#M201491 <P>What are you trying to do?</P><P>Are you trying to locate the vulnerability within your infrastructure? You can't do that with splunk alone.</P><P>Or are you trying to see if someone already attempted to exploit it? In this case you simply might not have recorded any exploitation attempts.</P> Mon, 13 Dec 2021 07:28:02 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-find-out-CVE-2021-44228-Apache-Log4j-Remote/m-p/578163#M201491 PickleRick 2021-12-13T07:28:02Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-find-out-CVE-2021-44228-Apache-Log4j-Remote/m-p/578229#M201510 <P>Hi&nbsp;</P><P>yes i am trying to find out list out servers affected with this vulnerability and what to find out is there any new attempt was initiated with the user agent.&nbsp;</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 13 Dec 2021 18:06:47 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-find-out-CVE-2021-44228-Apache-Log4j-Remote/m-p/578229#M201510 jaibalaraman 2021-12-13T18:06:47Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-find-out-CVE-2021-44228-Apache-Log4j-Remote/m-p/578353#M201556 <P>OK. To find which of your servers are vulnerable (use the vulnerable library) you need a completely different tool - some form of software inventory solution and/or vulnerability scanner/manager.</P><P>To find out whether someone already tried to exploit this CVE, you have a nice splunk blog post <A href="https://www.splunk.com/en_us/blog/security/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html" target="_blank">https://www.splunk.com/en_us/blog/security/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html</A></P> Tue, 14 Dec 2021 17:22:25 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-to-find-out-CVE-2021-44228-Apache-Log4j-Remote/m-p/578353#M201556 PickleRick 2021-12-14T17:22:25Z