IBM Security QRadar

 View Only
  • 1.  Detection of Log4Shell (CVE-2021-44228) using QRadar

    Community Leadership
    Posted Mon December 13, 2021 02:45 PM

    Updated blog by CTO Adam Frank: Detection of Log4Shell (CVE-2021-44228) using QRadar 

    Wendy Batten
    Community Manager
    IBM Security
    Cambridge MA

  • 2.  RE: Detection of Log4Shell (CVE-2021-44228) using QRadar

    Posted Tue December 14, 2021 08:55 AM


    I believe there is a mistake in the examples of the building blocks in the blog post (the pictures).

    You recommended to match the field "Username" to the regex in both examples, while I believe the correct field should be "User Agent" according to the latest exploit POC.

    Please let me know if this is correct.

    Thanks in advance,


    Ariel Roitgarts

  • 3.  RE: Detection of Log4Shell (CVE-2021-44228) using QRadar

    Posted Tue December 14, 2021 09:40 AM
    Good Eye Ariel, This is because the systems I am using to generate the screenshots do not have all the custom properties available on it. I will get them added and update the screenshots to ensure consistancy.


    Adam Frank
    CTO -- IBM Security Intelligence

  • 4.  RE: Detection of Log4Shell (CVE-2021-44228) using QRadar

    IBM Champion
    Posted Wed December 15, 2021 06:03 AM
    We have seen the exploit in virtually every logged string from servers.  I assume it is due to the way it is being exploited.  Hostname, URL, referrer, agent and query are all being seen with the exploit.

    I hated to do it, but I made a BB with a payload contains for jndi:, then added some logic for if firewall allowed then reset or dropped the connection.

    Hey Adam!

    Frank Eargle