XQL Query to identify Log4j impacted systems CVE-2021-44228

Showing results for 
Show  only  | Search instead for 
Did you mean: 

XQL Query to identify Log4j impacted systems CVE-2021-44228

L1 Bithead



I am wanting to use XQL and file search to identify any effected machines. searching for files that contain the word log4j results in exceeding maximum results. Has any one developed a query for this yet thats more accurate?


L1 Bithead



Is there a possibility to extend the xql search to the firewall logs "Session end reason"? Because, if i see sesssion end reason Threat, then i'm not interested because it is blocked. But in the xdr_data dataset is the session end reason not present.

How can Cortex XDR stiching the Agent Logs togther with the firewall logs? Do they build a key in both datasets, like time, srcIP,dstIP, srcPort,dstPort,Protocol?


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!