This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Use Apigee Analytics Custom Report to identify attempts to exploit Log4j 2 in your business

Posted on 12-16-2021 04:53 PM
kyfu
Staff
Reply posted on --/--/---- --:-- AM

The following custom report setting can help you identify potential exploit attempts that align with the CVE-2021-44228 and CVE-2021-45046 vulnerabilities. The report can show patterns in your analytics records that indicate exploit attempts. In addition, you will be able to slice and dice data with additional dimensions and metrics. If the report’s output is not empty, it may indicate that someone is attempting to exploit the vulnerability through your APIs , and you should consider further steps to protect your environment, which are explained here

Note: For more information about Apigee's Incident report, please refer this link

  1. Login to Apigee UI. Go to Analyze -> Custom Reports.
  2. Create a new report:
    1. Pick "Traffic" with "sum" as Aggregate function in the Metrics section.
    2. Pick  "Country" / "Proxy" / "Request URI" / "User Agent" / "X-Forwarded-For IP" in the list of dimensions. (You can play around with these dimensions and also add custom dimensions if you've defined them.)
    3. As part of filters, add the following that identifies the malicious attempts:

(request_uri similar to '(?i:.*jndi.*)') OR (useragent similar to '(?i:.*jndi.*)') OR (request_uri similar to '(?i:.*%mdc.*)') OR (useragent similar to '(?i:.*%mdc.*)') OR (request_uri similar to '(?i:.*%X.*)') OR (useragent similar to '(?i:.*%X.*)') OR (request_uri similar to '(?i:.*%24%7bctx.*)') OR (useragent similar to '(?i:.*%24%7bctx.*)')

  1. Save the report.
  2. Run the report between Dec 10 and today (e.g.: Dec 15) by using the date picker.
  3. You should be able to drill down one dimension at a time. - For example, if you see "US" as a country in the initial list, you can choose "US" in the dropdown and it will show you the "Proxy" breakdown (next dimension) and so on for the next dimension value . 

Note: The drilldown is based on the order of dimensions and you can change it by editing the custom report definition to get a better understanding of the data. Running the report displays the following screenshots, which will help you get more insights into your data. Below are screenshots to help you get more insights into your data:

Screen Shot 2021-12-20 at 12.05.21 PM.png

On running the report, you should see something similar to the following screens:

Output

1.png

 

Drilldown -> Country -> Proxy

2.png

Drilldown -> Country -> Proxy -> Request URI

3.png

3 6 9,331
Topic Labels
6 REPLIES 6
Top Solution Authors
View all