Basic search to find Log4J running on hosts from the DataLake

Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate.

SELECT
meta_hostname AS ep_name,
name,
cmdline,
path,
query_name,
sophos_pid,
pid
FROM xdr_data
WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
AND LOWER(cmdline) LIKE '%log4j%'

CraigJones

Top Comments

Parents

Brad Krakow over 3 years ago

I am getting an error. finished – errors – no such table: xdr_data
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Dale Lott over 3 years ago in reply to Brad Krakow

I am receiving that error as well.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
CraigJones over 3 years ago in reply to Sly M

Nice work!
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Sly M over 3 years ago in reply to Brad Krakow

I created a new Live Endpoint query that searches the sophos_file_journal table for any directory events containing "Log4" keyword. I'm not sure how accurate this approach is but it sure helped us locate bunch of servers needing Log4jShell remediation.

SELECT
pathname, sophosPID, subject, eventType, event_type
FROM
sophos_file_journal
WHERE
pathname LIKE '%Log4%';
- Cancel
- Vote Up +2 Vote Down
- More
- Cancel
CraigJones over 3 years ago in reply to Dale Lott

It means that only two have Log4J running, yes.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Dale Lott over 3 years ago in reply to CraigJones

Thank you. I only had two results come back, so does that mean that only those two endpoints have the Apache process running?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Comment

Dale Lott over 3 years ago in reply to CraigJones

Thank you. I only had two results come back, so does that mean that only those two endpoints have the Apache process running?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Children

CraigJones over 3 years ago in reply to Dale Lott

It means that only two have Log4J running, yes.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Basic search to find Log4J running on hosts from the DataLake

Top Comments

Submitted a Tech Support Case lately from the Support Portal?