Try in Splunk SOAR

Description

Published in response to CVE-2021-44228, this playbook is meant to be launched after log4j_investigate. In this playbook, the risk from exploited hosts can be mitigated by optionally deleting malicious files from the hosts, blocking outbound network connections from the hosts, and/or shutting down the hosts

  • Type: Response
  • Product: Splunk SOAR
  • Apps:
  • Last Updated: 2021-12-14
  • Author: Philip Royer, Splunk
  • ID: e609d729-4076-421a-b8f7-9e545d000381

Associated Detections

How To Implement

To use this playbook, create a custom list called “log4j_hosts_and_files” with a format in which the first column should be an IP or hostname of a potentially affected log4j host, the second should be the operating system family (either unix or windows), and the third should be a full path to a file to delete if there are any. The first two are mandatory and the file is optional. In the block called “enumerate_files_to_delete”, change the custom list name from “log4j_hosts_and_files” if needed. If ssh and/or winrm are not the preferred endpoint management methods, these playbooks could be ported to use Google’s GRR, osquery, CrowdStrike’s RTR, Carbon Black’s EDR API, or similar tools. The artifact scope “all” is used throughout this playbook because the artifact list can be added to as the playbook progresses.

Playbooks

Required field

Reference

source | version: 1