Log4j auditbeat detection rule

Hello

Referring to this blog post I am trying to configure the auditbeat detection rule in Kibana 7.16.1 as a new event correlation rule.

However when I past the rule into the EQL form this error is reported:

verification_exception: Found 1 problem line 13:3: Unknown column [process.parent.name], did you mean any of [process.thread.name, process.name, process.thread.id, process.uptime, process.args, process.entity_id, process.executable, process.hash.md5, process.hash.sha1, process.start, process.title, user_agent.name]?

Could you, please, provide me a hint to solve this issue?

Best regards
Flemming

1 Like

I was also unable to use that query. Auditbeat doesnt index the process parent info..