The easiest way to detect if traffic is traversing your Apigee APIs and contain strings that trigger CVE-2021-44228 is by using the Message Logging Policy.

These exploit strings are of the format 

These strings can be present anywhere in the HTTP request. However, after analyzing actual attack patterns in the wild, most often they are being packed into certain request headers and url params. 

The first step is log the parts of the request likely to contain the bad string via the Message Logging Policy: 

• request.message.header.user-agent
• request.message.header.referer
• request.message.querystring
• request.message.path

 You might include the following Message definition in your Message Logging Policy to log the most routinely probed data points and their source proxies: 

<Message>[CVE-2021-44228-check tag="{organization.name}.{apiproxy.name}.{environment.name}"] 
{request.message.querystring} 
{request.message.header.referer}
{request.message.user-agent}
{request.message.path}</Message>

From there, you would run a query against your logging service (e.g. Splunk, Loggly, SumoLogic, or a Syslog server) for regex strings matching common exploit values. A simple version of that is:  

"(?i)(\$|\%24)(\{|\%7b).*j.*n.*d.*i.*(\:|\%3a)"

However, as attackers learn new obfuscation techniques, you may need to update and modify that regex match.