Approved

Basic search to find Log4J running on hosts from the DataLake

Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate.

SELECT
meta_hostname AS ep_name,
name,
cmdline,
path,
query_name,
sophos_pid,
pid
FROM xdr_data
WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
AND LOWER(cmdline) LIKE '%log4j%'

Parents Comment
  • I created a new Live Endpoint query that searches the sophos_file_journal table for any directory events containing "Log4" keyword. I'm not sure how accurate this approach is but it sure helped us locate bunch of servers needing Log4jShell remediation.

    SELECT
    pathname, sophosPID, subject, eventType, event_type
    FROM
    sophos_file_journal
    WHERE
    pathname LIKE '%Log4%';

Children