https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/log4j-batch-file-execution/m-p/456639#M1413 <P>Hi All.</P><P>&nbsp;</P><P>From the Palo alto advisory as per below, we have to run a batch file via our SCCM tool. But I need to understand what version of log4j we are using on our Cortex. How can we find out , Please help</P><P>&nbsp;</P><P><STRONG>To ensure you disable message lookup, follow the following steps</STRONG>:</P><OL><LI><STRONG>Disable Log4j </STRONG><STRONG>message lookups environment variable</STRONG></LI><UL><LI><STRONG>XDR Pro customers</STRONG> - From the <STRONG>Action Center</STRONG>, select <STRONG>Actions</STRONG> &gt; <STRONG>Run Endpoint Script</STRONG> and in the<STRONG> SCRIPT</STRONG> field select<STRONG> execute_command</STRONG>. Specify the <STRONG>Commands_lists(list)</STRONG> field as <STRONG>setx LOG4J_FORMAT_MSG_NO_LOOKUPS true /M</STRONG>. In the next screen, you will have an option to select the target machines.</LI><LI><STRONG>XDR Prevent customers</STRONG> - Execute the following batch script with administrative privileges on your machines: <A href="https://u18414439.ct.sendgrid.net/ls/click?upn=5FITEUMzDMkXYQ5uKAwx-2F3vAthcLYPwU8Y7N8kmjkCOg4qgtt4iaSbBH8dHey5E421hSytD6W0fWaRK7VQBxNo4xqZSz9G-2BL-2FVJK6ESqHCv8H9NNM88uZZiQ4SUrKwReZ-rl_On1sYiza99CExn8i2GCURXG0ZSVSQySCPmraPuSI38mUFnDNdPQ0yTQyg8FgIbuXD4atP5gpeGebUyLRh01DjDlg8lBIdBcsg7OzWmtIKl6VpSnuUP23RG6tvw4-2BTmsnfM6b9U9-2BDI0Ioi5blMv0FKcpoaUVlF1xtfouyUelhAHiePhVqFimMBRZi5o2v8-2FoxWdkBtp-2BpLfCKZnC5j9r-2F0NEAlojCHpcOZlsh4K1gv24-2FMDIiDy41AEpivGc2-2B6Bh-2BJqpKWXNI5fG9r98U2xRQ-3D-3D" target="_blank">https://storage.cloud.google.com/panwxdr-staticfiles/apply_log4shell_workaround.bat</A></LI></UL></OL> Tue, 04 Jan 2022 09:42:09 GMT AsifSid 2022-01-04T09:42:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/log4j-batch-file-execution/m-p/456639#M1413 <P>Hi All.</P><P>&nbsp;</P><P>From the Palo alto advisory as per below, we have to run a batch file via our SCCM tool. But I need to understand what version of log4j we are using on our Cortex. How can we find out , Please help</P><P>&nbsp;</P><P><STRONG>To ensure you disable message lookup, follow the following steps</STRONG>:</P><OL><LI><STRONG>Disable Log4j </STRONG><STRONG>message lookups environment variable</STRONG></LI><UL><LI><STRONG>XDR Pro customers</STRONG> - From the <STRONG>Action Center</STRONG>, select <STRONG>Actions</STRONG> &gt; <STRONG>Run Endpoint Script</STRONG> and in the<STRONG> SCRIPT</STRONG> field select<STRONG> execute_command</STRONG>. Specify the <STRONG>Commands_lists(list)</STRONG> field as <STRONG>setx LOG4J_FORMAT_MSG_NO_LOOKUPS true /M</STRONG>. In the next screen, you will have an option to select the target machines.</LI><LI><STRONG>XDR Prevent customers</STRONG> - Execute the following batch script with administrative privileges on your machines: <A href="https://u18414439.ct.sendgrid.net/ls/click?upn=5FITEUMzDMkXYQ5uKAwx-2F3vAthcLYPwU8Y7N8kmjkCOg4qgtt4iaSbBH8dHey5E421hSytD6W0fWaRK7VQBxNo4xqZSz9G-2BL-2FVJK6ESqHCv8H9NNM88uZZiQ4SUrKwReZ-rl_On1sYiza99CExn8i2GCURXG0ZSVSQySCPmraPuSI38mUFnDNdPQ0yTQyg8FgIbuXD4atP5gpeGebUyLRh01DjDlg8lBIdBcsg7OzWmtIKl6VpSnuUP23RG6tvw4-2BTmsnfM6b9U9-2BDI0Ioi5blMv0FKcpoaUVlF1xtfouyUelhAHiePhVqFimMBRZi5o2v8-2FoxWdkBtp-2BpLfCKZnC5j9r-2F0NEAlojCHpcOZlsh4K1gv24-2FMDIiDy41AEpivGc2-2B6Bh-2BJqpKWXNI5fG9r98U2xRQ-3D-3D" target="_blank">https://storage.cloud.google.com/panwxdr-staticfiles/apply_log4shell_workaround.bat</A></LI></UL></OL> Tue, 04 Jan 2022 09:42:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/log4j-batch-file-execution/m-p/456639#M1413 AsifSid 2022-01-04T09:42:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/log4j-batch-file-execution/m-p/456858#M1414 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/87372">@AsifSid</a>&nbsp;, You're the best person to know what is running in your environments. You can run a XQL query to partially identify if the vulnerable JAR's are being loaded or if JNDI calls are being made in your estate.</P><P>&nbsp;</P><P>This should get you started on the right track:&nbsp;<A href="https://www.paloaltonetworks.com/blog/security-operations/hunting-for-log4j-cve-2021-44228-log4shell-exploit-activity/" target="_blank">https://www.paloaltonetworks.com/blog/security-operations/hunting-for-log4j-cve-2021-44228-log4shell-exploit-activity/</A>.</P> Wed, 05 Jan 2022 03:15:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/log4j-batch-file-execution/m-p/456858#M1414 bbarmanroy 2022-01-05T03:15:05Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/log4j-batch-file-execution/m-p/457042#M1417 <P>The link asks us to log into a google account. We're a Microsoft shop, is there anywhere else we can download the file from?</P> Wed, 05 Jan 2022 18:41:28 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/log4j-batch-file-execution/m-p/457042#M1417 Victor1 2022-01-05T18:41:28Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/log4j-batch-file-execution/m-p/457421#M1422 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/91468">@Victor1</a>&nbsp;It is&nbsp;a publicly available link. Are you able to view the link from your mobile or another device?</P> Fri, 07 Jan 2022 02:34:57 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/log4j-batch-file-execution/m-p/457421#M1422 bbarmanroy 2022-01-07T02:34:57Z