Log4j Investigate

Description

Published in response to CVE-2021-44228, this playbook and its sub-playbooks can be used to investigate and respond to attacks against hosts running vulnerable Java applications which use log4j. Between the parent playbook and seven sub-playbooks, each potentially compromised host found in Splunk Enteprise can be investigated and the risk can be mitigated using SSH for unix systems and WinRM for Windows systems.

Type: Investigation
Product: Splunk SOAR
Apps:
Last Updated: 2021-12-14
Author: Philip Royer, Splunk
ID: e609d729-0076-421a-b8f7-9e545d000381
Use-cases:

Associated Detections

How To Implement

To start this playbook, create a custom list called "log4j_hosts" with a format in which the first column should be an IP or hostname of a potentially affected log4j host, the second should be the operating system family (either unix or windows). If the operating system is unknown it can be left blank. In the block called "fetch_hosts_from_custom_list", change the custom list name from "log4j_hosts" if needed. If the operating system family ("windows" or "unix") is not known, both ssh and winrm will be attempted. If ssh and/or winrm are not the preferred endpoint management methods, these playbooks could be ported to use Google's GRR, osquery, CrowdStrike's RTR, Carbon Black's EDR API, or similar tools. The artifact scope "all" is used throughout this playbook because the artifact list can be added to as the playbook progresses.

Log4j Investigate

Description

Associated Detections

How To Implement

Explore Playbook

Required field

Reference

You May Also Enjoy

Headless Browser Mockbin or Mocky Request

Headless Browser Usage

Windows Find Interesting ACL with FindInterestingDomainAcl

Windows Get Local Admin with FindLocalAdminAccess