Detection rules for Log4J?s

Curious if anyone has rules in Elastic SIEM for log4j. I didn't see anything in the rule feed on Github and was wondering if there will be native rules for this.

Hey @n2x4 ,

We've shared a few rules here: Detecting Exploitation of CVE-2021-44228 (log4j2) with Elastic Security | Elastic Blog

Yesterday an out of band update went out, updating some of our existing rules to detect related behaviours - Update v0.14.3 | Elastic Security Solution [7.16] | Elastic

Thanks!
James

2 Likes

Hey @jamesspi,

We are using filebeat and windlogsbeat to ingest elastic.

Do you know if it is possible for us to implement this detections rules or it needs another feature to configure these rules?

Like Endpoint security, Endgame, audit beat....

Hey @jbal24 ,

If you're using beats, you'll need winlogbeat + sysmon on Windows and Auditbeat on *nix/macOS for these rules to be effective.

Otherwise, our Endpoint Security integration for Elastic Agent ingests the data needed.

James

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.