Log4j exposure in your environment
There are a wide range of applications, frameworks, and tools that can leverage Log4j. In order to understand the extent of your exposure to this remote code execution vulnerability, you can use process execution logging across your environment to find evidence of Log4j activity. Option 1 uses the Endpoint data model to display hosts executing processes with Log4j anywhere in the name or in the name of the parent executable. Option 2 searches for all processes, or parent processes, with Log4j in the name, against Sysmon data (both Linux and Windows).
Required data
- Normalized endpoint data (Option 1) OR Microsoft Sysmon (Option 2)
Procedure
Option 1 - Using the Endpoint datamodel
Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Endpoint data model. For information on installing and using the CIM, see the Common Information Model documentation.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats summariesonly=t values(Processes.parent_process) AS parent_process,values(Processes.process) AS process,latest(_time) AS latest,earliest(_time) AS earliest from datamodel=Endpoint.Processes where (Processes.parent_process="*log4j*" OR Processes.process="*log4j*") by host | eval _time=latest | reltime | fields - _time | convert ctime(latest), ctime(earliest) | table host parent_process process reltime latest earliest
Search explanation
The table provides an explanation of what each part of this search achieves.
| Splunk Search | Explanation |
|---|---|
| | tstats summariesonly=t values(Processes.parent_process) AS parent_process,values(Processes.process) AS process,latest(_time) AS latest,earliest(_time) AS earliest from datamodel=Endpoint.Processes where (Processes.parent_process="*log4j*" OR Processes.process="*log4j*") by host | Query the Endpoint.Processes data model object for the parent process log4j or the log4j process. Return the first and last time that each matching command line argument was seen, sorted by host. |
| | eval _time=latest | Search by the latest time occurred. |
| | reltime | Creates one or more relative time fields and adds the field or fields to returned events. |
| | fields - _time | Remove the _time field. |
| | convert ctime(latest), ctime(earliest) | Convert these times into readable strings. |
| | table host parent_process process reltime latest earliest | Display the results in a table with columns in the order shown. |
Result
This search returns hosts executing processes with Log4j anywhere in the name or in the name of the parent executable, demonstrating your exposure to the vulnerability. You can use the results from this search to help patch for the vulnerability.
Option 2 - Using process creation logs in Sysmon
Run the following search. You can optimize it by specifying an index and adjusting the time range.
(source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR source="Journald:Microsoft-Windows-Sysmon/Operational") EventCode=1 (CommandLine=*log4j* OR ParentCommandLine=*log4j*) | table _time,host,CommandLine,ParentCommandLine
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
| (source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR source="Journald:Microsoft-Windows-Sysmon/Operational") EventCode=1 (CommandLine=*log4j* OR ParentCommandLine=*log4j*) | Search Sysmon operational processes for event code 1, process creation events, to find processes or parent processes with log4j in their name. |
| | table _time,host,CommandLine,ParentCommandLine | Display the results in a table with columns in the order shown. |
Result
This search reviews Sysmon data to return all processes, or parent processes, with Log4j in the name, demonstrating your exposure to the vulnerability. You can use the results from this search to help patch for the vulnerability.
Next steps
Finally, you might be interested in other processes associated with the Detecting Log4j remote code execution use case.