Playbook: Internal Host WinRM log4j Respond

Description

Published in response to CVE-2021-44228, this playbook accepts a list of hosts and filenames to remediate on the endpoint. If filenames are provided, the endpoints will be searched and then the user can approve deletion. Then the user is prompted to quarantine the endpoint.

Type: Response Date: 2021-12-14 Author: Kelby Shelton, Splunk ID: 32fd9db5-5201-4b2f-b2c2-9299c7b3495d

Apps:

Associated Detections

How To Implement

The winrm asset requires Administrator access to gather certain files.

Explore Playbook

explore

Required fields

Reference

source | version: 1