From 32c0125208cd977e5a19b22a84140ad16b547537 Mon Sep 17 00:00:00 2001
From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com>
Date: Fri, 12 Jul 2024 12:58:48 -0600
Subject: [PATCH] adding new category of exploits

---
 rule-packs/index.js                     |  3 ++-
 rule-packs/initial-access-exploits.json | 14 ++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 rule-packs/initial-access-exploits.json

diff --git a/rule-packs/index.js b/rule-packs/index.js
index ffed240..2076438 100644
--- a/rule-packs/index.js
+++ b/rule-packs/index.js
@@ -20,4 +20,5 @@ module.exports.CyberarkIdaptiveMisconfigurations = require("./cyberark-idaptive-
 module.exports.KnownMaliciousSoftwareVersions = require("./known-malicious-software-versions.json");
 module.exports.AttackPath = require("./attack-path.json");
 module.exports.GitlabMaliciousVersions = require("./gitlab-malicious-versions.json");
-module.exports.ServiceNowCMDBDevices = require("./servicenow-cmdb-devices.json");
\ No newline at end of file
+module.exports.ServiceNowCMDBDevices = require("./servicenow-cmdb-devices.json");
+module.exports.InitialAccessExploits = require("./initial-access-exploits.json");
\ No newline at end of file
diff --git a/rule-packs/initial-access-exploits.json b/rule-packs/initial-access-exploits.json
new file mode 100644
index 0000000..2b2814c
--- /dev/null
+++ b/rule-packs/initial-access-exploits.json
@@ -0,0 +1,14 @@
+[
+  {
+    "name": "intial-access-exploit-public-facing-apps-log4j-dependencies",
+    "description": "Finds Hosts/Endpoints that are using codeRepos with log4j dependencies.",
+    "queries": [
+      {
+        "name": "query0",
+        "query": "FIND * THAT RELATES TO Host THAT DEPLOYED CodeRepo THAT USES CodeModule WITH displayName = 'log4j'",
+        "version": "v1"
+      }
+    ],
+    "alertLevel": "MEDIUM"
+  }
+]
\ No newline at end of file