Log4j auditbeat detection rule

fgjensen · December 17, 2021, 4:07pm

Hello

Referring to this blog post I am trying to configure the auditbeat detection rule in Kibana 7.16.1 as a new event correlation rule.

However when I past the rule into the EQL form this error is reported:

verification_exception: Found 1 problem line 13:3: Unknown column [process.parent.name], did you mean any of [process.thread.name, process.name, process.thread.id, process.uptime, process.args, process.entity_id, process.executable, process.hash.md5, process.hash.sha1, process.start, process.title, user_agent.name]?

Could you, please, provide me a hint to solve this issue?

Best regards
Flemming

willemdh · December 29, 2021, 12:45pm

I was also unable to use that query. Auditbeat doesnt index the process parent info..

system · January 26, 2022, 12:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic Security Prebuilt Rules Error Elastic Security	8	254	July 30, 2024
Auditbeat's process module produces error in Kibana for field [process.created] Beats auditbeat	1	525	February 24, 2020
Rule Failure Elastic Security	5	57	October 1, 2024
Verification_exception Error during Rule Execution Elastic Security	4	2625	August 13, 2021
Elastic prebuilt rules error Elastic Security	3	1040	July 17, 2023

Log4j auditbeat detection rule

Related Topics