Approved

Basic search to find Log4J running on hosts from the DataLake

Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate.

SELECT
meta_hostname AS ep_name,
name,
cmdline,
path,
query_name,
sophos_pid,
pid
FROM xdr_data
WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
AND LOWER(cmdline) LIKE '%log4j%'

Parents
  • If you choose to use the environment variable 

    LOG4J_FORMAT_MSG_NO_LOOKUPS

    to mitigate the issue, I suppose this would be a quick test to get a list of those computers with the value set one way or another.

    SELECT
        variable,
        value,
        expand
    FROM default_environment
    where variable = "LOG4J_FORMAT_MSG_NO_LOOKUPS"
Comment
  • If you choose to use the environment variable 

    LOG4J_FORMAT_MSG_NO_LOOKUPS

    to mitigate the issue, I suppose this would be a quick test to get a list of those computers with the value set one way or another.

    SELECT
        variable,
        value,
        expand
    FROM default_environment
    where variable = "LOG4J_FORMAT_MSG_NO_LOOKUPS"
Children
No Data