This blog will talk about how:
- Customers can Discover servers, running processes and installed software data with Agentless Discovery.
- Customers can use Advance Discovery techniques like File-Based Discovery to detect log4j files and signatures.
- Customers can use Agent Client Collector for Security Incident Enrichment.
Running Processes from Agent-less Discovery: Customers can run Agent-less discovery and can see the running processes across systems that are using log4j. In my example, I ran a quick discovery on my Linux server and I was able to go to running processes and query the parameter for log4j content to see log4j spray across my environment.
Run Agent-less Discovery: Using the Quick Discovery option on the Discovery Schedule page - run an Agent-less Discovery to discover all assets.
Discovery Status: (Completed) - Once the Discovery is completed and CI has been populated. Check for Running Processes.
Running Processes for log4j content: Search for *log4j content in the parameter to see which process using log4j.
File-Based Discovery: Customers can use Advanced Discovery techniques to find log4j files and signatures.
Make sure File-Discovery is enabled on your ServiceNow Instance and once enabled go to Discovery Configuration and set the folders you want to scan and set the frequency to "Every time" in the File-Based Discovery section.
Once the File-Based Discovery setup is completed. Run Discovery "twice" so that files are discovered and bought back to ServiceNow CMDB (cmdb_file_information) and you see them on the Discovery Status>Devices>File Information
OR on cmdb_file_information or in cmdb_unidentified_file_set for unindentified files.
Agent Client Collector for Security Incident Enrichment:
Customers need to enable the ACC SIR plugin on their instance to use this capability and make sure to install Agent on CI's and Agents are connected to Instance and Status is "Up". With this plugin, customers can whitelist the Osquerys and Commands for Security Analyst to run on incident records.
Whitelisting Log4j query to use for detection.
Customers can get to Discovered CIs> Dependency Views to see Security Incidents associated with CI OR can go to Security Incident list view to open all security incidents.
Dependency View:
OR security incidents list view :
Customers will start to see Agent Client Collector Capabilities on the Security Incident Record and they could run whitelisted queries and see the output on work notes.
and "Submit".
As you see, the log4jdetection query was executed on the CI and came with a result on the work notes with the name of the process name and jar path.
With this customers can Automate log4j detection with Discovery and can use the ACC SIR app to enrich security incidents with LIVE information from CI.
Related Links:
Agent Client Collector Security Incident Response app
1 Comment
