topic Re: XQL Query to identify Log4j impacted systems CVE-2021-44228 in Cortex XDR Discussions

XQL Query to identify Log4j impacted systems CVE-2021-44228

GarethDavies — Sun, 12 Dec 2021 20:52:14 GMT

Hello

I am wanting to use XQL and file search to identify any effected machines. searching for files that contain the word log4j results in exceeding maximum results. Has any one developed a query for this yet thats more accurate?

Re: XQL Query to identify Log4j impacted systems CVE-2021-44228

bbarmanroy — Mon, 13 Dec 2021 09:59:13 GMT

Hi @GarethDavies , I'd suggest you to use the file hashes instead of file names to search for the vulnerable libraries to narrow down to the exact list.
If your search results are still exceeding maximum results, please consider searching via subsets of hosts by OS type, or a subset of hashes at a time. This is dependent of your search results, and I recommend you to tune it as you dig around.

Re: XQL Query to identify Log4j impacted systems CVE-2021-44228

etugriceri — Mon, 13 Dec 2021 11:56:41 GMT

Dear @gareth.d

Cortex XDR does not collect content of the files as telemetry data. Which means that you cannot search particular string which is in file by XQL.

But you can write a python script for file content check and upload and execute via Action Center or execute command from action center again.

grep -inR "log4j" /var/www

But please be aware, This action will be pretty exhaustive and might create so much Disk IO.

Re: XQL Query to identify Log4j impacted systems CVE-2021-44228

benjaminmurray — Mon, 13 Dec 2021 18:15:56 GMT

Any chance you could give an example XQL query that would let me load 30+ hashes into one search?

Re: XQL Query to identify Log4j impacted systems CVE-2021-44228

bbarmanroy — Tue, 14 Dec 2021 07:28:26 GMT

Hi @benjaminmurray fresh off the press from Palo Alto Network's Managed Threat Hunting team, you've the query that you're looking for in the section Hunting for Log4Shell in Your Network Section A. Search for the phrase "Attempt to target all hosts that contain a file that matches the SHA256 hash of the Log4j vulnerable versions.". This will only detect any invocation/use of the vulnerable libraries. For searching for the presence of the same, you'd can use the method @etugriceri suggested for searching via Action Center or Python script with the well-known hashes.

Link: https://www.paloaltonetworks.com/blog/security-operations/hunting-for-log4j-cve-20210-44228-log4shell-exploit-activity/

Re: XQL Query to identify Log4j impacted systems CVE-2021-44228

fhu_omi — Fri, 17 Dec 2021 14:14:46 GMT

Hello,

Is there a possibility to extend the xql search to the firewall logs "Session end reason"? Because, if i see sesssion end reason Threat, then i'm not interested because it is blocked. But in the xdr_data dataset is the session end reason not present.

How can Cortex XDR stiching the Agent Logs togther with the firewall logs? Do they build a key in both datasets, like time, srcIP,dstIP, srcPort,dstPort,Protocol?