From Karan Lyon's https://gist.github.com/karanlyons/8635587fd4fa5ddb4071cc44bb497ab6 I've produced a custom search command for detecting log4j exploitation attempts (CVE-2021-44228, CVE-2021-45046). It's simple to use, just pipe search results to the log4shellregex command with the name of the field and it will output a field called log4shellregex. Here's an over-simplified example passing the raw event: index=* sourcetype=log4 | log4shellregex _raw | where isnotnull(log4shellregex)