Log4j auditbeat detection rule

Hello

Referring to this blog post I am trying to configure the auditbeat detection rule in Kibana 7.16.1 as a new event correlation rule.

However when I past the rule into the EQL form this error is reported:

verification_exception: Found 1 problem line 13:3: Unknown column [process.parent.name], did you mean any of [process.thread.name, process.name, process.thread.id, process.uptime, process.args, process.entity_id, process.executable, process.hash.md5, process.hash.sha1, process.start, process.title, user_agent.name]?

Could you, please, provide me a hint to solve this issue?

Best regards
Flemming

1 Like

I was also unable to use that query. Auditbeat doesnt index the process parent info..

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.