Splunk Enterprise

log4j Detection Search



As we know, trying to create an all-encompassing search for the log4j is a very difficult task because of the infinite number of possibilities for entering the letters jndi and any of the possible protocols; ex. ldap; dns; https; etc.

We came up with this SPL, which has been very successful. However, there is a good possibility of some false positives. We haven't found too many though.



index=* AND "\$"
    ```All sites discussing log4j examples containing at least one dollar sign. Therefore, we are only reporting those types of events.```
    ```No evidence (thus far) has been shown that these logs would contain log4j-type strings. Therefore, these logs are excluded.```
AND NOT source IN (/var/adm/messages, /var/adm/sulog, /var/adm/syslog*, /var/log/authlog, /var/log/messages, /var/log/secure, /var/log/syslog, /var/log/sudo.log, bandwidth, cpu, interfaces, iostat, netstat, openPorts, protocol, ps, top, vmstat, nfsiostat)
AND NOT sourcetype=syslog
    ```These 12 strings have been found in events with different variations of the log4j string.```
AND ((Basic AND Base64) OR "/securityscan" OR "/callback" OR exploit OR "/nessus" OR (interact OR interactsh) OR kryptoslogic OR "service.exfil.site" OR secresponstaskfrce OR billdemirkapi OR mburpcollab OR leakix)
    ```Flags/Indicators to match the different strings above.```
| eval base64=if(match(_raw,"Base64"),"X","")
| eval dnsscan=if(match(_raw,"/securityscan"),"X","")
| eval exploit=if(match(_raw,"Exploit"),"X","")
| eval nessus=if(match(_raw,"/nessus"),"X","")
| eval interact=if(match(_raw,"interact") or match(_raw,"interactsh"),"X","")
| eval kryptos=if(match(_raw,"kryptoslogic"),"X","")
| eval exfilsite=if(match(_raw,"service.exfil.site"),"X","")
| eval secrettask=if(match(_raw,"secresponstaskfrce"),"X","")
| eval billdemirk=if(match(_raw,"billdemirkapi"),"X","")
| eval burpcollab=if(match(_raw,"mburpcollab"),"X","")
| eval leakix=if(match(_raw,"leakix"),"X","")
    ```These are the known protocols where log4j attacks have been seen. These matches look for the first letter used for each protocol (j), followed by anything, then the next letter (n), etc. This "hopefully" will catch any/all possible variations used by attackers. Note: A future search is being designed to find where URL Encoding repalces any/all of the letters within each JNDI protocol string.```
| where match(_raw,"j.*n.*d.*i.*\:.*l.*d.*a.*p")
     or match(_raw,"j.*n.*d.*i.*\:.*d.*n.*s")
     or match(_raw,"j.*n.*d.*i.*\:.*r.*m.*i")
     or match(_raw,"j.*n.*d.*i.*\:.*l.*d.*a.*p.*s")
     or match(_raw,"j.*n.*d.*i.*\:.*n.*i.*s")
     or match(_raw,"j.*n.*d.*i.*\:.*i.*i.*o.*p")
     or match(_raw,"j.*n.*d.*i.*\:.*c.*o.*r.*b.*a")
     or match(_raw,"j.*n.*d.*i.*\:.*n.*d.*s")
     or match(_raw,"j.*n.*d.*i.*\:.*h.*t.*t.*p")
     or match(_raw,"j.*n.*d.*i.*\:.*h.*t.*t.*p.*s")
     or match(_raw,"(\:)*-")
     or match(_raw,"lower\:")
     or match(_raw,"upper\:")
     or match(_raw,"date\:")
     or match(_raw,"env\:")
     or match(_raw,"jndi")
| sort 0 -_time
| table _time, index, host, source, status, base64, dnsscan, exploit, nessus, interact, kryptos, exfilsite, secrettask, billdemirk, burpcollab, leakix, _raw, http_user_agent,


We have found events also substituting URL Encoded characters for jndi........

Please let me, and the rest of our Splunk community, know if there are any issues with this search. Also, any new text signatures discovered other than those in Step 2. And any other discoveries.

Together, let's find, stop this vulnerability. 

Thanks and God bless,


Labels (1)
Tags (2)
0 Karma



I have had difficulty posting this for the past two days.  Finally, the Answers site told me why. There are screenshots below of some of the regex with explanations. Appears that Splunk was assuming my code was an attack. Hmmm!
This reply describes the steps taken in the SPL in the original post.

Step 1
Due to log4j’s use of regular expressions, it is near impossible to write a set of search strings, let alone a single search string, to detect all of these variations. However, we have designed a search that looks for the presence of a $ in ingested logs, as, in our analysis, at least one unencrypted dollar sign must appear in each log event where the JNDI is being called/used. After the first $ an attacker may attempt to obfuscate one or more of the several protocols used by JNDI to grant lookups.

Screenshot - 12_30_2021 , 11_32_29 AM.png

Step 2
We filtered out events from these logs because it has determined these logs do not capture events pertaining to log4j activity. As a separate search on just these logs, no log4j patterns were discovered. 


Step 3
Using the same logic and analysis from Step 2 we removed events for sourcetype=syslog.

Step 4
Next, we kept events containing only these 12 identified “text signatures” from the Team’s analysis.

Basic AND Base64
interact OR interactsh

Step 5
This would be any proprietary or other business or industry-specific based search commands.

Step 6
The current final filtering step searches raw events that use one or more of the protocol signatures shared on the Internet. Splunk performs a match against each JNDI protocol one letter at-a-time with any number of other characters in between each protocol letter.

Screenshot - 12_30_2021 , 11_34_54 AM.png

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...