Basic search to find Log4J running on hosts from the DataLake

Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate.

SELECT
meta_hostname AS ep_name,
name,
cmdline,
path,
query_name,
sophos_pid,
pid
FROM xdr_data
WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
AND LOWER(cmdline) LIKE '%log4j%'

CraigJones

Top Comments

Parents

Sophos User930 over 2 years ago
If you choose to use the environment variable
```
LOG4J_FORMAT_MSG_NO_LOOKUPS
```
to mitigate the issue, I suppose this would be a quick test to get a list of those computers with the value set one way or another.
```
SELECT
    variable,
    value,
    expand
FROM default_environment
where variable = "LOG4J_FORMAT_MSG_NO_LOOKUPS"
```
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Comment

Sophos User930 over 2 years ago
If you choose to use the environment variable
```
LOG4J_FORMAT_MSG_NO_LOOKUPS
```
to mitigate the issue, I suppose this would be a quick test to get a list of those computers with the value set one way or another.
```
SELECT
    variable,
    value,
    expand
FROM default_environment
where variable = "LOG4J_FORMAT_MSG_NO_LOOKUPS"
```
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Children

No Data

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Basic search to find Log4J running on hosts from the DataLake

Top Comments