Approved

Basic search to find Log4J running on hosts from the DataLake

Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate.

SELECT
meta_hostname AS ep_name,
name,
cmdline,
path,
query_name,
sophos_pid,
pid
FROM xdr_data
WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
AND LOWER(cmdline) LIKE '%log4j%'

Parents
  • Is there a way to filter based on time stamp?

    It would be good to run again after remediation to see whether there are further identifications.

  • last 24 hrs

    SELECT
    DATE_FORMAT(FROM_UNIXTIME(time), '%Y-%m-%dT%H:%i:%SZ') AS process_time,
    meta_hostname AS ep_name,
    name,
    cmdline,
    path,
    query_name,
    sophos_pid,
    pid
    FROM xdr_data
    WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
    AND LOWER(cmdline) LIKE '%log4j%'
    AND time > to_unixtime(current_timestamp) - (60*60*24)

Comment
  • last 24 hrs

    SELECT
    DATE_FORMAT(FROM_UNIXTIME(time), '%Y-%m-%dT%H:%i:%SZ') AS process_time,
    meta_hostname AS ep_name,
    name,
    cmdline,
    path,
    query_name,
    sophos_pid,
    pid
    FROM xdr_data
    WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
    AND LOWER(cmdline) LIKE '%log4j%'
    AND time > to_unixtime(current_timestamp) - (60*60*24)

Children
No Data