https://live.paloaltonetworks.com/t5/panorama-discussions/log4j/m-p/454707#M588 <P>What would I look for in logs if I were looking to see we had already been owned by this?</P> Tue, 21 Dec 2021 14:05:04 GMT RobertShawver 2021-12-21T14:05:04Z https://live.paloaltonetworks.com/t5/panorama-discussions/log4j/m-p/454707#M588 <P>What would I look for in logs if I were looking to see we had already been owned by this?</P> Tue, 21 Dec 2021 14:05:04 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/log4j/m-p/454707#M588 RobertShawver 2021-12-21T14:05:04Z https://live.paloaltonetworks.com/t5/panorama-discussions/log4j/m-p/454730#M589 <P>Hi&nbsp;</P> <P>&nbsp;</P> <P>The default action of the threat prevention profile was to drop the traffic that complied with the signature so you should be ok, however if looking for evidence for log4j traffic a good place to start would either LDAP or rmi traffic going either sourced from or directed to an untrusted network or any network that it shouldn't be, these are the mechanisms by which it was exploited, there is a video <A title="Log4j Mitigation" href="https://youtu.be/4TF2ec8veYM" target="_blank" rel="noopener">here</A></P> <P>please let me know if this is of any use.</P> Tue, 21 Dec 2021 15:24:52 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/log4j/m-p/454730#M589 laurence64 2021-12-21T15:24:52Z