Extrahop Reveal(x) is great at detecting Log4J and Log4Shell. I recommend running Firmware v8.7. You can view the new Log4J or Log4Shell detections in your detection dashboard. However, if you want to be notified of this detection type, now you can. If you have not done so I recommend you take advantage of the new Notification feature. When a detection is triggered you can configure Extrahop Reveal(x) to execute an event such as send email or execute a webhook.
Here is a standard detection of Log4J attempt.
To configure Notifications you can do so by login in to your Extrahop Command Center and Select Notifications under the Gear.
Click on the Create button > Enter a Name and Description > Select Criteria : Type = Log4Shell JNDI Injection Attempt. Optionally you can select Actions: Email and enter a email address.
If you want to detect if you have been responding to an Log4J attempt you can also create a Notification. This type of notification would let you know if your IDS/IPS is working as expected.
Click on the Create button > Enter a Name and Description > Select Criteria : Type = Outbound Log4Shell Activity. Optionally you can select Actions: Email and enter a email address.
Example of Email Notification for Log4J Attempt
- I liked this post
- I didn’t like this post