This rule is designed to detect potential exploitation incidents related to the Log4Shell vulnerability (CVE-2021-44228) by analyzing correlated MITRE ATT&CK tactics derived from security events. By leveraging Splunk's risk data model, it identifies occurrences of Log4Shell-related exploits by counting distinct MITRE ATT&CK tactics. A significant finding occurs when two or more distinct tactics are noticed, indicating a higher chance of an actual exploitation attempt. Such incidents could lead to various malicious outcomes, including unauthorized access and lateral movement within the network, which jeopardizes the integrity and security of the affected systems. The correlation search engages with the Risk data model and focuses explicitly on risk events associated with this specific vulnerability, employing a structured approach to highlight anomalous behaviors that signify exploitation risks.