Approved

over 1 year ago

Please note this query is for Linux operating systems. The Windows query is posted here: https://community.sophos.com/intercept-x-endpoint/i/compliance/basic-search-to-find-log4j-running-on-hosts-from-xdr

Identify vulnerable Log4j Apache components

Note: This query is designed for Linux only. For a basic search which lists processes called Log4J on Windows, Mac and Linux, please view this query.

This query helps customers identify vulnerable Log4J components in their environment. It shows Log4J installed by package managers. If you identify the vulnerable component you should update immediately and review your logs for any sign of malicious exploitation.

select name, version,
regex_match(version,"(\d+)",1) as first,
regex_match(version,"\d+.(\d+)",1) as second,
regex_match(version,"\d+.\d+.(\d+)",1) as third,
regex_match(version,"\d+.\d+.\d+p(\d+)",1) as fourth from deb_packages where name LIKE 'log4j' UNION ALL select name, version,
regex_match(version,"(\d+)",1) as first,
regex_match(version,"\d+.(\d+)",1) as second, regex_match(version,"\d+.\d+.(\d+)",1) as third, regex_match(version,"\d+.\d+.\d+p(\d+)",1) as fourth from rpm_packages where name LIKE 'log4j';

Special thanks to CraigJones

Qoosh

Top Comments

LHerzog over 1 year ago

is that the expected result if no package has been found?

0 Complete, data sent

18 Complete, no data sent

0 Complete, errors

0 Not responded yet

Status: finished – OK
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Ben Johnston1 over 1 year ago in reply to tdem

The XDR software for linux is a manual install after you assign the license in Sophos Central. As of my last testing you can't run Sophos AV for linux and XDR software at the same time. I have/had a case open for this.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Mario Uribe over 1 year ago in reply to Mario Uribe

I believe I narrowed this down to Intercept-X licensing.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Mario Uribe over 1 year ago

When attempting to create a query, I can not see any Linux machines available. When I narrow down the scope the only machines that show are macOS and Windows.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Donavon McKigney over 1 year ago in reply to CraigJones

Is there a query for those devices not in DataLake that can be run in livequery?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Patrick Moubarak over 1 year ago

This is a Linux-only query... tested on Ubuntu 18.04 LTS.

For some reason, I had to add the % wildcard for it to work:

replace (twice) name LIKE 'log4j' by name LIKE '%log4j%'
- Cancel
- Vote Up +1 Vote Down
- More
- Cancel
Jeremy Berrios over 1 year ago in reply to CraigJones

We are receiving the, "finished – errors – no such table: xdr_data " message as well when using this link for Windows workstations and servers.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
CraigJones over 1 year ago in reply to Brad Krakow

Hey you need to run it on the DataLake not livequery
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Brad Krakow over 1 year ago in reply to CraigJones

Craig,

When I go to the link and create the query I am getting the following error below.

I am getting an error. finished – errors – no such table: xdr_data
- Cancel
- Vote Up +1 Vote Down
- More
- Cancel
Dale Lott over 1 year ago in reply to CraigJones

I am still receiving the same error code.
- Cancel
- Vote Up +1 Vote Down
- More
- Cancel

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Identify vulnerable Log4j Apache components

Note: This query is designed for Linux only. For a basic search which lists processes called Log4J on Windows, Mac and Linux, please view this query.

Top Comments