Please note this query is for Linux operating systems. The Windows query is posted here: https://community.sophos.com/intercept-x-endpoint/i/compliance/basic-search-to-find-log4j-running-on-hosts-from-xdr
This query helps customers identify vulnerable Log4J components in their environment. It shows Log4J installed by package managers. If you identify the vulnerable component you should update immediately and review your logs for any sign of malicious exploitation.
select name, version, regex_match(version,"(\d+)",1) as first, regex_match(version,"\d+.(\d+)",1) as second, regex_match(version,"\d+.\d+.(\d+)",1) as third, regex_match(version,"\d+.\d+.\d+p(\d+)",1) as fourth from deb_packages where name LIKE 'log4j' UNION ALL select name, version, regex_match(version,"(\d+)",1) as first, regex_match(version,"\d+.(\d+)",1) as second, regex_match(version,"\d+.\d+.(\d+)",1) as third, regex_match(version,"\d+.\d+.\d+p(\d+)",1) as fourth from rpm_packages where name LIKE 'log4j';
Special thanks to CraigJones
When I try to run the query, I get an error "finished - errors - no such table:rpm_packages"
Hi all. Sorry for the confusion, this is just for Linux systems. We've got some more queries being published imminently which will include Windows.
Same here! Only worked for two Linux Servers, all Windows Machines gets this error.
is that the expected result if no package has been found?
0 Complete, data sent
18 Complete, no data sent
0 Complete, errors
0 Not responded yet
Status: finished – OK
The XDR software for linux is a manual install after you assign the license in Sophos Central. As of my last testing you can't run Sophos AV for linux and XDR software at the same time. I have/had a case open for this.
I believe I narrowed this down to Intercept-X licensing.
When attempting to create a query, I can not see any Linux machines available. When I narrow down the scope the only machines that show are macOS and Windows.
Is there a query for those devices not in DataLake that can be run in livequery?
This is a Linux-only query... tested on Ubuntu 18.04 LTS.
For some reason, I had to add the % wildcard for it to work:
replace (twice) name LIKE 'log4j' by name LIKE '%log4j%'
We are receiving the, "finished – errors – no such table: xdr_data " message as well when using this link for Windows workstations and servers.
Hey you need to run it on the DataLake not livequery
Craig,
When I go to the link and create the query I am getting the following error below.
I am getting an error. finished – errors – no such table: xdr_data
I am still receiving the same error code.