Curious if anyone has rules in Elastic SIEM for log4j. I didn't see anything in the rule feed on Github and was wondering if there will be native rules for this.

Hey @jamesspi , We are using filebeat and windlogsbeat to ingest elastic. Do you know if it is possible for us to implement this detections rules or it needs another feature to configure these rules? Like Endpoint security, Endgame, audit beat....

Hey @jbal24 , If you're using beats, you'll need winlogbeat + sysmon on Windows and Auditbeat on *nix/macOS for these rules to be effective. Otherwise, our Endpoint Security integration for Elastic Agent ingests the data needed. James

Detection rules for Log4J?s

Elastic Security

jamesspi (Jamesspi) December 15, 2021, 5:13pm 2

Hey @n2x4 ,

We've shared a few rules here: Detecting Exploitation of CVE-2021-44228 (log4j2) with Elastic Security | Elastic Blog

Yesterday an out of band update went out, updating some of our existing rules to detect related behaviours - Update v0.14.3 | Elastic Security Solution [7.16] | Elastic

Thanks!
James

Topic		Replies	Views
Detecting Exploitation of CVE-2021-44228 (log4j2) with Elastic Security Elastic Security	1	385	January 13, 2022
How to detect log4shell in the application logs? Elasticsearch	1	414	January 12, 2022
Run Elastic detection rule in non real time logs SIEM	2	744	October 9, 2021
Elastic Defend - Is default logging on the endpoint enough? Elastic Security	3	708	December 12, 2023
Log4j Critical Vulnerability Elastic Security	2	2787	January 7, 2022

Detection rules for Log4J?s

Related topics