NOT perfect queries but likely indicators to further investigate the hit hosts
You might want to add some of your own public IP's that you have in your cloud envs
MDE
requests to default ldap ports by possible impacted processes
DeviceNetworkEvents
| where RemotePort in ("389","636","3269","3268")
| where not(RemoteIP startswith "10." or RemoteIP == "127.0.0.1" or RemoteIP == "::1" or RemoteIP startswith "::ffff:10.")
| where InitiatingProcessFileName has_any ("apache","w3wp.exe","java","tomcat","sapwebdisp.exe")
| summarize count() by InitiatingProcessFileName, RemoteIP, RemoteUrl, DeviceName
dns results to requests by possible impacted processes
DeviceEvents
| where ActionType contains "DnsQueryResponse"
| extend DnsQueryString=(parse_json(AdditionalFields).DnsQueryString)
| where InitiatingProcessFileName has_any ("apache","w3wp.exe","java","tomcat","sapwebdisp.exe")
| summarize count() by InitiatingProcessFileName,tostring(DnsQueryString)
hits to known IOCs based on Greynoise info and MS threat intel
let intel=((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8/raw/f1751cc072bd33256c0005021f33348c22aa76fc/Callback%2520Domains%2520log4j"]));
let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
let domains=intel | extend domains=extract(@"([0-9a-z]+\.[0-9a-z]+\.[a-z]+)",0,URL)| distinct domains| where domains != "" | project domains;
let ips=intel | extend ips=extract(@"([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})",0,URL) | distinct ips | where ips != "" | project ips;
let ports = intel | extend ports=extract(@":([0-9]{2,5})\/",1,URL) | distinct ports | where ports != "" | project ports;
DeviceNetworkEvents
| where Timestamp > datetime("2021-12-09")
| where not(RemoteIP == "0.0.0.0")
| where not(ipv4_is_match(RemoteIP, '127.0.0.0/8'))
| where not(ipv4_is_match(RemoteIP, '10.0.0.0/8'))
| where not(ipv4_is_match(RemoteIP, '172.16.0.0/12'))
| where not(ipv4_is_match(RemoteIP, '192.168.0.0/16'))
| where not(ipv4_is_match(RemoteIP, '169.254.0.0/16'))
| where not(ipv4_is_match(RemoteIP, '6.66.0.0/16'))
| where not(RemoteIP == "::1" or RemoteIP startswith "::ffff:10." or RemoteIP startswith "::ffff:192.168" or RemoteIP startswith "::ffff:172.16.")
| where (RemoteUrl has_any ((domains))
or RemoteIP has_any ((ips))) or RemoteIP in (IPList)
// | where InitiatingProcessFileName has_any ("apache","w3wp.exe","java.exe","tomcat")
| project Timestamp,InitiatingProcessFileName, LocalIP,InitiatingProcessAccountName,RemoteIP, RemoteUrl, RemotePort,DeviceName
MDE queries from Microsoft
DeviceProcessEvents
| where ProcessCommandLine has_all('${jndi') and ProcessCommandLine has_any('ldap', 'ldaps', 'http', 'rmi', 'dns', 'iiop')
//Removing FPs
| where not(ProcessCommandLine has_any('stackstorm', 'homebrew'))
DeviceProcessEvents
| where ProcessCommandLine matches regex @'(?i)\$\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\/\/(\$\{([a-z]){1,20}:([a-z]){1,20}\})?(([a-zA-Z0-9]|-){2,100})?(\.([a-zA-Z0-9]|-){2,100})?\.([a-zA-Z0-9]|-){2,100}\.([a-z0-9]){2,20}(\/).*}'
or InitiatingProcessCommandLine matches regex @'(?i)\$\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\/\/(\$\{([a-z]){1,20}:([a-z]){1,20}\})?(([a-zA-Z0-9]|-){2,100})?(\.([a-zA-Z0-9]|-){2,100})?\.([a-zA-Z0-9]|-){2,100}\.([a-z0-9]){2,20}(\/).*}'
CloudAppEvents
| where Timestamp > datetime("2021-12-09")
| where UserAgent contains "jndi:" or AccountDisplayName contains "jndi:" or Application contains "jndi:" or AdditionalFields contains "jndi:"
| project ActionType, ActivityType, Application, AccountDisplayName, IPAddress, UserAgent, AdditionalFields
DeviceTvmSoftwareInventory
| where SoftwareName contains "log4j"
| project DeviceName, SoftwareName, SoftwareVersion
Sentinel
hits to known IOCs based on Greynoise info and MS threat intel
Zscaler
let intel=((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8/raw/f1751cc072bd33256c0005021f33348c22aa76fc/Callback%2520Domains%2520log4j"]));
let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
let domains=intel | extend domains=extract(@"([0-9a-z]+\.[0-9a-z]+\.[a-z]+)",0,URL)| distinct domains| where domains != "" | project domains;
let ips=intel | extend ips=extract(@"([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})",0,URL) | distinct ips | where ips != "" | project ips;
let ports = intel | extend ports=extract(@":([0-9]{2,5})\/",1,URL) | distinct ports | where ports != "" | project ports;
CommonSecurityLog
| where TimeGenerated > datetime("2021-12-09")
| where DeviceVendor == "Zscaler"
| where RequestClientApplication contains "jndi" or DestinationIP in (ips) or RequestURL has_any (domains) or DestinationIP in (IPList)
Fortinet
let intel=((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8/raw/f1751cc072bd33256c0005021f33348c22aa76fc/Callback%2520Domains%2520log4j"]));
let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
let domains=intel | extend domains=extract(@"([0-9a-z]+\.[0-9a-z]+\.[a-z]+)",0,URL)| distinct domains| where domains != "" | project domains;
let ips=intel | extend ips=extract(@"([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})",0,URL) | distinct ips | where ips != "" | project ips;
let ports = intel | extend ports=extract(@":([0-9]{2,5})\/",1,URL) | distinct ports | where ports != "" | project ports;
CommonSecurityLog
| where TimeGenerated > datetime("2021-12-09")
| where DeviceVendor == "Fortinet"
| where DestinationIP in (ips) or RequestURL has_any (domains) or DestinationIP in (IPList)
Check Point
let intel=((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8/raw/f1751cc072bd33256c0005021f33348c22aa76fc/Callback%2520Domains%2520log4j"]));
let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
let domains=intel | extend domains=extract(@"([0-9a-z]+\.[0-9a-z]+\.[a-z]+)",0,URL)| distinct domains| where domains != "" | project domains;
let ips=intel | extend ips=extract(@"([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})",0,URL) | distinct ips | where ips != "" | project ips;
let ports = intel | extend ports=extract(@":([0-9]{2,5})\/",1,URL) | distinct ports | where ports != "" | project ports;
CommonSecurityLog
| where TimeGenerated > datetime("2021-12-09")
| where DeviceVendor == "Check Point"
| where DestinationIP in (ips) or RequestURL has_any (domains) or DestinationIP in (IPList)
Application gateway, regex tweak via @netrusion
AzureDiagnostics
| where TimeGenerated > datetime("2021-12-09")
| where ResourceType == "APPLICATIONGATEWAYS"
| where Category == "ApplicationGatewayAccessLog"
| where userAgent_s matches regex @"(%24|\$)(%7B|{).*(%4A|%6A|j|J).*?(%4E|%6e|n|N).*?(%44|%64|d|D).*?(%49|%69|i|I).*?(%3A|\:).*(%7D|})"
or requestUri_s matches regex @"(%24|\$)(%7B|{).*(%4A|%6A|j|J).*?(%4E|%6e|n|N).*?(%44|%64|d|D).*?(%49|%69|i|I).*?(%3A|\:).*(%7D|})"
or requestQuery_s matches regex @"(%24|\$)(%7B|{).*(%4A|%6A|j|J).*?(%4E|%6e|n|N).*?(%44|%64|d|D).*?(%49|%69|i|I).*?(%3A|\:).*(%7D|})"
| project TimeGenerated, ResourceId,clientIP_s, originalHost_s,httpStatus_d, userAgent_s,originalRequestUriWithArgs_s,requestUri_s,requestQuery_s