Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Browse Live Discover and Response Queries by Category
Approved

Basic search to find Log4J running on hosts from the DataLake

Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate.

SELECT
meta_hostname AS ep_name,
name,
cmdline,
path,
query_name,
sophos_pid,
pid
FROM xdr_data
WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
AND LOWER(cmdline) LIKE '%log4j%'

CraigJones
Parents Comment
  • in reply to Chris Shipley

    Run these queries:

    Device details - this will list all the machines in the Data Lake and how much data has been sent

    Data uploads to the Data Lake - this will show you how much data is in the whole data lake for each table. You are looking for data in these tables, 

    • running_processes_linux_events
    • running_processes_osx_events
    • running_processes_windows_sophos

    It shouldn't take long for the data to start coming into the data lake, a few hours

Children
No Data
Unfiltered HTML