Hello! How can I use the Live Discover query called "File attributes and metadata" to locate a file that might be stored at any place on a computer, or at different places on different computers? This article on Sophos.com got me to thinking. They suggest "Search right across your estate, taking in clients and servers running Linux, Mac and Windows, looking for files named log4j*.jar." That seems like a perfect task for Live Discover. However, I have only had success with that query when I search for files in specific directories.
I put a text file renamed to "log4j9.jar" in a temp folder on my PC, then tried a query. If I specified file_path "C:\temp\log4%.jar" the Live Query returned results. If I moved the file to another folder and searched with the below file_path entries, nothing was returned. For each of the below, I also tried with * instead of %, but the hint inside the file_path box suggests I should use %. I tried just in case.
I'm concerned about Log4j, of course, but I am also curious how I can use this Live Discovery query in the future, for other problems. How do I tune this query to search the entire drive for a file?
Searching the entire file structure would likely result in a timeout by the watchdog service within the osquery module.
We do have stock queries within the console that allow you search specific file strings. Have you tried those?