Log4J/LogShell (CVE-2021-44228) exploit IOC have been published by Cisco Talos (see: https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html). These IOC have been packaged as a WitFoo Actor definition and have been pushed to all production instances of WitFoo Precinct and Precinct Cloud. The definitions were automatically applied at 1404 Eastern Standard time on December 14, 2021. Detections are both forward looking and retrospective across the entire Precinct big-data archive.

Actor functionality has been pushed early (ahead of 6.2 GA release) to allow data to be searched. A quick overview of the functionality can be viewed below.

Notification of matches can be found by filtering on “Actor” in the incident window and email notifications will also be sent (if configured/enabled.)

The Actor feature does allow defining custom IOC (as outlined in the video above.)

Questions about the publication can be posted on Community forums (https://community.witfoo.com/forums/topic/log4j-logshell-cve-2021-44228/) or by contacting WitFoo Support.