faststeak/gist:0ef52e39c80ef15c92731fb0a7fcb234

## gistfile1.txt
index=<your target indexes>
| regex "(?i)\${(\${(.*?:|.*?:.*?:-)(\'|\"|\`)*(?1)}*|[jndi:(ldap|ldaps|rmi|dns|nis|iiop|corba|nds|http)](\'|\"|\`)*}*){9,10}"

| rex field=_raw max_match=0 "(?<ip_addr>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| rex field=_raw "Base64\/(?<base64>[A-Za-z0-9+]{15,}[=]{0,2})"
| decrypt field=base64 b64 emit('payload')

| table _time index sourcetype host ip_addr base64 payload _raw

| mvexpand ip_addr
| iplocation ip_addr
| fillnull value="unknown" Country
| eval ip_addr=ip_addr." (".Country.")"

| stats values(*) as * values(_raw) as _raw by _time host

| fields _time index sourcetype host ip_addr base64 payload _raw
| sort - 0 _time
| convert ctime(_time)
	index=<your target indexes>
	\| regex "(?i)\${(\${(.?:\|.?:.?:-)(\'\|\"\|\`)(?1)}\|[jndi:(ldap\|ldaps\|rmi\|dns\|nis\|iiop\|corba\|nds\|http)](\'\|\"\|\`)}*){9,10}"

	\| rex field=_raw max_match=0 "(?<ip_addr>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
	\| rex field=_raw "Base64\/(?<base64>[A-Za-z0-9+]{15,}[=]{0,2})"
	\| decrypt field=base64 b64 emit('payload')

	\| table _time index sourcetype host ip_addr base64 payload _raw

	\| mvexpand ip_addr
	\| iplocation ip_addr
	\| fillnull value="unknown" Country
	\| eval ip_addr=ip_addr." (".Country.")"

	\| stats values() as values(_raw) as _raw by _time host

	\| fields _time index sourcetype host ip_addr base64 payload _raw
	\| sort - 0 _time
	\| convert ctime(_time)