XQL Query to identify Log4j impacted systems CVE-2021-44228

Showing results for 
Show  only  | Search instead for 
Did you mean: 

XQL Query to identify Log4j impacted systems CVE-2021-44228

L1 Bithead



I am wanting to use XQL and file search to identify any effected machines. searching for files that contain the word log4j results in exceeding maximum results. Has any one developed a query for this yet thats more accurate?


L5 Sessionator

Hi @GarethDavies , I'd suggest you to use the file hashes instead of file names to search for the vulnerable libraries to narrow down to the exact list. 
If your search results are still exceeding maximum results, please consider searching via subsets of hosts by OS type, or a subset of hashes at a time. This is dependent of your search results, and I recommend you to tune it as you dig around.

L3 Networker

Dear @gareth.d

Cortex XDR does not collect content of the files as telemetry data. Which means that you cannot search particular string which is in file by XQL.


But you can write a python script for file content check and upload and execute via Action Center or execute command from action center again. 


grep -inR "log4j" /var/www


But please be aware, This action will be pretty exhaustive and might create so much Disk IO.

Any chance you could give an example XQL query that would let me load 30+ hashes into one search?


L5 Sessionator

Hi @benjamin.murray fresh off the press from Palo Alto Network's Managed Threat Hunting team, you've the query that you're looking for in the section Hunting for Log4Shell in Your Network Section A. Search for the phrase "Attempt to target all hosts that contain a file that matches the SHA256 hash of the Log4j vulnerable versions.". This will only detect any invocation/use of the vulnerable libraries. For searching for the presence of the same, you'd can use the method @etugriceri suggested for searching via Action Center or Python script with the well-known hashes. 

Link: https://www.paloaltonetworks.com/blog/security-operations/hunting-for-log4j-cve-20210-44228-log4shel...

L1 Bithead



Is there a possibility to extend the xql search to the firewall logs "Session end reason"? Because, if i see sesssion end reason Threat, then i'm not interested because it is blocked. But in the xdr_data dataset is the session end reason not present.

How can Cortex XDR stiching the Agent Logs togther with the firewall logs? Do they build a key in both datasets, like time, srcIP,dstIP, srcPort,dstPort,Protocol?


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!