I am wanting to use XQL and file search to identify any effected machines. searching for files that contain the word log4j results in exceeding maximum results. Has any one developed a query for this yet thats more accurate?
Hi @GarethDavies , I'd suggest you to use the file hashes instead of file names to search for the vulnerable libraries to narrow down to the exact list.
If your search results are still exceeding maximum results, please consider searching via subsets of hosts by OS type, or a subset of hashes at a time. This is dependent of your search results, and I recommend you to tune it as you dig around.
Cortex XDR does not collect content of the files as telemetry data. Which means that you cannot search particular string which is in file by XQL.
But you can write a python script for file content check and upload and execute via Action Center or execute command from action center again.
grep -inR "log4j" /var/www
But please be aware, This action will be pretty exhaustive and might create so much Disk IO.
Hi @benjamin.murray fresh off the press from Palo Alto Network's Managed Threat Hunting team, you've the query that you're looking for in the section Hunting for Log4Shell in Your Network Section A. Search for the phrase "Attempt to target all hosts that contain a file that matches the SHA256 hash of the Log4j vulnerable versions.". This will only detect any invocation/use of the vulnerable libraries. For searching for the presence of the same, you'd can use the method @etugriceri suggested for searching via Action Center or Python script with the well-known hashes.
Is there a possibility to extend the xql search to the firewall logs "Session end reason"? Because, if i see sesssion end reason Threat, then i'm not interested because it is blocked. But in the xdr_data dataset is the session end reason not present.
How can Cortex XDR stiching the Agent Logs togther with the firewall logs? Do they build a key in both datasets, like time, srcIP,dstIP, srcPort,dstPort,Protocol?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!