faststeak · December 13, 2021 17:00
diff --git a/gistfile1.txt b/gistfile1.txt
 index=<your target indexes>
 | regex "(?i)\${(\${(.*?:|.*?:.*?:-)(\'|\"|\`)*(?1)}*|[jndi:(ldap|ldaps|rmi|dns|nis|iiop|corba|nds|http)](\'|\"|\`)*}*){9,10}"

 | rex field=_raw max_match=0 "(?<ip_addr>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
 | rex field=_raw "Base64\/(?<base64>[A-Za-z0-9+]{15,}[=]{0,2})"
 | decrypt field=base64 b64 emit('payload')

 | table _time index sourcetype host ip_addr base64 payload _raw

 | mvexpand ip_addr
 | iplocation ip_addr
 | fillnull value="unknown" Country
 | eval ip_addr=ip_addr." (".Country.")"

 | stats values(*) as * values(_raw) as _raw by _time host

 | fields _time index sourcetype host ip_addr base64 payload _raw
 | sort - 0 _time
 | convert ctime(_time)
	index=<your target indexes>
	\| regex "(?i)\${(\${(.?:\|.?:.?:-)(\'\|\"\|\`)(?1)}\|[jndi:(ldap\|ldaps\|rmi\|dns\|nis\|iiop\|corba\|nds\|http)](\'\|\"\|\`)}*){9,10}"

	\| rex field=_raw max_match=0 "(?<ip_addr>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
	\| rex field=_raw "Base64\/(?<base64>[A-Za-z0-9+]{15,}[=]{0,2})"
	\| decrypt field=base64 b64 emit('payload')

	\| table _time index sourcetype host ip_addr base64 payload _raw

	\| mvexpand ip_addr
	\| iplocation ip_addr
	\| fillnull value="unknown" Country
	\| eval ip_addr=ip_addr." (".Country.")"

	\| stats values() as values(_raw) as _raw by _time host

	\| fields _time index sourcetype host ip_addr base64 payload _raw
	\| sort - 0 _time
	\| convert ctime(_time)