Hello there,

The following rules was created and adapted from an Exabeam query. See original post below.
https://community.exabeam.com/s/article/Detecting-CVE-2021-44228-Log4j2-using-Exabeam


Event type != FortiGate-ips-signature-51006          [we do not want to include any event reported by FortiGate, just events reported by servers]
AND
(
Raw Event Log  CONTAIN  jndi:ldap
OR
Raw Event Log  CONTAIN  jndi:dns
orORRaw Event Log  CONTAIN  jndi:ldaps
OR
Raw Event Log  CONTAIN  jndi:rmi
OR
Raw Event Log  CONTAIN  j}ndi
OR
Raw Event Log  CONTAIN  jndi%3Aldap
OR
Raw Event Log  CONTAIN  jndi%3Aldns
OR
Raw Event Log  CONTAIN ${jndi:ldap:
OR
Raw Event Log  CONTAIN  ${${::-j}${::-n}${::-d}${::-i}:
OR
Raw Event Log  CONTAIN    ${${::-j}ndi:\" OR \"${${lower:jndi}
)

The reason why we are using Raw Event Log is because FortiSIEM is not parsing all WMI application Widows events. It is required to modify the parser to capture this information.

An alternative Rule specific for Windows devices could be:
Event type = Win-App-ASP.NET-4.0.30319.0-1309
Raw Event Log   CONTAIN  jndi:ldap

---------------------
False positives:
--------------------
The server Log4j 2 library version is not within this range 2.0-beta9 to 2.14.1.
You need to either verify manually on the server(s) or perform some sort vulnerability scan. 

IOCs:
https://securityblue.team/log4j-hunting-and-indicators/
https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv 


I hope it helps