Which SIEM platforms have a CVE-2026-34197 detection rule?

df00tech provides CVE-2026-34197 (Apache ActiveMQ Improper Input Validation (CVE-2026-34197)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Apache ActiveMQ Improper Input Validation (CVE-2026-34197) (CVE-2026-34197)?

Detecting Apache ActiveMQ Improper Input Validation (CVE-2026-34197) requires the following data sources: CommonSecurityLog, DeviceNetworkEvents, DeviceProcessEvents.

What severity and confidence is the CVE-2026-34197 detection?

The CVE-2026-34197 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2026-34197?

Common false positives for CVE-2026-34197 include: Legitimate ActiveMQ administrative tasks via CLI tools such as activemq-admin or management scripts; Authorized penetration testing or red team exercises targeting ActiveMQ brokers; Java process restarts or health-check scripts spawned by monitoring agents.

CVE-2026-34197 Detection: Apache ActiveMQ Improper Input Validation (CVE-2026-34197) (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let activemq_ports = dynamic([61616, 61617, 8161, 8162, 5672, 1883, 61613]);
let suspiciousPatterns = dynamic(["classInfo", "ExceptionResponse", "../", "%2e%2e", "cmd.exe", "/bin/sh", "powershell", "wget", "curl", "ClassPathXmlApplicationContext"]);
union
(
  CommonSecurityLog
  | where TimeGenerated > ago(24h)
  | where DestinationPort in (activemq_ports) or SourcePort in (activemq_ports)
  | where Message has_any (suspiciousPatterns) or RequestURL has_any (suspiciousPatterns)
  | extend AttackVector = "network_request"
),
(
  DeviceNetworkEvents
  | where TimeGenerated > ago(24h)
  | where RemotePort in (activemq_ports) or LocalPort in (activemq_ports)
  | where InitiatingProcessCommandLine has_any (suspiciousPatterns)
  | extend AttackVector = "process_network"
),
(
  DeviceProcessEvents
  | where TimeGenerated > ago(24h)
  | where ParentProcessName in~ ("activemq.bat", "activemq", "java") or ProcessCommandLine has "activemq"
  | where ProcessCommandLine has_any (["cmd.exe", "powershell", "bash", "sh", "wget", "curl", "nc", "ncat", "/tmp/", "base64"])
  | extend AttackVector = "process_spawn"
)
| project TimeGenerated, AttackVector, DeviceName, AccountName, ProcessCommandLine, RemoteIP, RemotePort, AdditionalFields
| summarize Count=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Vectors=make_set(AttackVector) by DeviceName, RemoteIP
| where Count >= 1

Detects Apache ActiveMQ exploitation attempts via CVE-2026-34197 by correlating suspicious network connections to ActiveMQ ports with process spawning anomalies and known malicious payload patterns in network traffic and process command lines.

critical severity medium confidence

Data Sources

CommonSecurityLog DeviceNetworkEvents DeviceProcessEvents

Required Tables

CommonSecurityLog DeviceNetworkEvents DeviceProcessEvents

False Positives

Legitimate ActiveMQ administrative tasks via CLI tools such as activemq-admin or management scripts
Authorized penetration testing or red team exercises targeting ActiveMQ brokers
Java process restarts or health-check scripts spawned by monitoring agents
Scheduled data pipeline scripts that use curl or wget to interact with ActiveMQ REST API

Splunk

spl

index=* sourcetype IN ("cisco:asa", "pan:traffic", "stream:tcp", "xmlwf", "syslog", "WinEventLog:Security", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval activemq_port=if(dest_port IN (61616, 61617, 8161, 8162, 5672, 1883, 61613) OR src_port IN (61616, 61617, 8161, 8162, 5672, 1883, 61613), 1, 0)
| eval suspicious_cmd=if(match(CommandLine, "(?i)(classinfo|ClassPathXmlApplicationContext|ExceptionResponse|cmd\.exe|/bin/sh|powershell|wget|curl|base64|ncat|/tmp/)"), 1, 0)
| eval suspicious_proc=if(match(ParentImage, "(?i)(activemq|java)") AND suspicious_cmd=1, 1, 0)
| where activemq_port=1 OR suspicious_proc=1
| eval attack_vector=case(suspicious_proc=1, "process_spawn", activemq_port=1 AND suspicious_cmd=1, "network_payload", activemq_port=1, "port_contact", true(), "unknown")
| stats count AS event_count, values(attack_vector) AS attack_vectors, min(_time) AS first_seen, max(_time) AS last_seen, values(dest_ip) AS dest_ips, values(CommandLine) AS command_lines BY src_ip, host
| where event_count >= 1
| eval severity="critical"
| sort -event_count

Detects CVE-2026-34197 exploitation attempts in Apache ActiveMQ by identifying anomalous connections to ActiveMQ service ports combined with suspicious child process spawning from Java/ActiveMQ parent processes.

critical severity medium confidence

Data Sources

Firewall logs Sysmon Windows Security Event Log Network traffic

Required Sourcetypes

cisco:asa pan:traffic stream:tcp WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate administrative connections to ActiveMQ broker ports from authorized management hosts
Automated monitoring scripts that spawn child processes from the ActiveMQ service account
Java application servers co-located with ActiveMQ that naturally communicate on these ports
Security scanning tools performing authorized vulnerability assessments against ActiveMQ

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [network where event.action in ("connection_attempted", "connection_accepted") and
   (destination.port in (61616, 61617, 8161, 8162, 5672, 1883, 61613) or
    source.port in (61616, 61617, 8161, 8162, 5672, 1883, 61613)) and
   not source.ip in ("127.0.0.1", "::1")]
  [process where event.type == "start" and
   (process.parent.name in ("java", "activemq", "activemq.bat", "wrapper") or
    process.parent.executable like~ "*activemq*") and
   process.name in ("cmd.exe", "powershell.exe", "bash", "sh", "dash", "wget", "curl", "nc", "ncat", "python", "python3", "perl") and
   not process.args_count == 0]

EQL sequence detection correlating ActiveMQ network connections followed within 5 minutes by anomalous child process spawning from Java or ActiveMQ parent processes, indicating CVE-2026-34197 post-exploitation activity.

critical severity high confidence

Data Sources

Elastic Endpoint Packetbeat Winlogbeat Filebeat

Required Tables

logs-endpoint.events.network-* logs-endpoint.events.process-*

False Positives

Authorized remote management sessions that legitimately spawn shell processes
ActiveMQ startup or shutdown scripts that invoke shell utilities
Integration middleware that triggers scripted workflows via ActiveMQ message consumption

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  sourceport,
  username,
  "Application" AS application,
  QIDNAME(qid) AS event_name,
  category,
  logsourcename(logsourceid) AS log_source,
  payload
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Linux OS', 'Palo Alto PA Series', 'Cisco ASA')
  AND (
    destinationport IN (61616, 61617, 8161, 8162, 5672, 1883, 61613)
    OR sourceport IN (61616, 61617, 8161, 8162, 5672, 1883, 61613)
  )
  AND (
    payload ILIKE '%ClassPathXmlApplicationContext%'
    OR payload ILIKE '%classInfo%'
    OR payload ILIKE '%cmd.exe%'
    OR payload ILIKE '%powershell%'
    OR payload ILIKE '%./%..%'
    OR payload ILIKE '%wget%'
    OR payload ILIKE '%curl%'
    OR payload ILIKE '%base64%'
  )
  AND LOGSOURCESTARTTIME(starttime) > NOW() - 86400 SECONDS
ORDER BY starttime DESC
LAST 24 HOURS

QRadar AQL query to identify suspicious payloads traversing ActiveMQ service ports that match known CVE-2026-34197 exploitation patterns including class injection strings, path traversal sequences, and shell command indicators.

critical severity medium confidence

Data Sources

Windows Security Event Log Linux syslog Firewall logs IDS/IPS

Required Tables

events

False Positives

Legitimate ActiveMQ applications that include class names like ClassPathXmlApplicationContext in normal Spring configuration
Administrative tools that connect to ActiveMQ ports and log connection metadata
Base64-encoded message payloads that are part of normal business message traffic

Sumo Logic CSE

sql

_sourceCategory=*activemq* OR _sourceCategory=*network* OR _sourceCategory=*firewall* OR _sourceCategory=*endpoint*
| where !(src_ip matches "127.0.0.1" or src_ip matches "::1")
| where dest_port in ("61616", "61617", "8161", "8162", "5672", "1883", "61613") or src_port in ("61616", "61617", "8161", "8162", "5672", "1883", "61613")
| parse regex field=_raw "(?<suspicious_string>ClassPathXmlApplicationContext|classInfo|ExceptionResponse|cmd\.exe|powershell|/bin/sh|wget|curl|base64|ncat|\.\./)" nodrop
| where !isNull(suspicious_string) or !isEmpty(suspicious_string)
| timeslice 5m
| stats count as event_count, values(suspicious_string) as indicators, values(src_ip) as source_ips by _timeslice, dest_ip, dest_port, _sourceHost
| where event_count >= 1
| sort by _timeslice desc

Sumo Logic query detecting CVE-2026-34197 exploitation activity by searching for known malicious string patterns within traffic destined for Apache ActiveMQ service ports across network and endpoint log sources.

critical severity medium confidence

Data Sources

Firewall logs Endpoint security logs ActiveMQ application logs Network flow logs

Required Tables

_sourceCategory=*activemq* _sourceCategory=*network* _sourceCategory=*endpoint*

False Positives

Spring Framework applications using ClassPathXmlApplicationContext in ActiveMQ message bodies as part of normal operations
Authorized security testing or red team exercises against ActiveMQ infrastructure
Network scanners performing port discovery that happen to probe ActiveMQ ports

Google Chronicle / SecOps

yaral

rule cve_2026_34197_activemq_exploitation {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-34197 Apache ActiveMQ improper input validation exploitation"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt"
    tags = "cve-2026-34197, activemq, cwe-20, cwe-94, kev"

  events:
    (
      // Network event to ActiveMQ ports
      $net.metadata.event_type = "NETWORK_CONNECTION"
      $net.target.port in (61616, 61617, 8161, 8162, 5672, 1883, 61613)
      $net.principal.ip != "127.0.0.1"
      (
        $net.network.http.request_url = /ClassPathXmlApplicationContext/ nocase or
        $net.network.http.request_url = /\.\.\/\.\.\// nocase or
        $net.metadata.description = /classInfo|ExceptionResponse/ nocase
      )
    )
    or
    (
      // Process launched as child of ActiveMQ/Java with suspicious commands
      $proc.metadata.event_type = "PROCESS_LAUNCH"
      $proc.principal.process.file.full_path = /activemq|java/ nocase
      $proc.target.process.file.full_path = /cmd\.exe|powershell|bash|sh|wget|curl|ncat|python/ nocase
    )

  condition:
    $net or $proc
}

Chronicle YARA-L 2.0 rule detecting CVE-2026-34197 Apache ActiveMQ exploitation via network connections containing known malicious payload patterns or anomalous child process spawning from ActiveMQ/Java parent processes.

critical severity medium confidence

Data Sources

Chronicle UDM network events Chronicle UDM process events GCP VPC Flow Logs Chronicle endpoint telemetry

Required Tables

network_connection process_launch

False Positives

Legitimate Spring Framework message-driven beans that reference ClassPathXmlApplicationContext in payload content
Authorized penetration tests or red team operations against ActiveMQ deployments
Java process management tools that spawn shell interpreters for lifecycle management

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6", "ProcessRollup2", "SyntheticProcessRollup2")
| eval activemq_port=if(RemotePort IN ("61616", "61617", "8161", "8162", "5672", "1883", "61613") OR LocalPort IN ("61616", "61617", "8161", "8162", "5672", "1883", "61613"), true(), false())
| eval suspicious_child=if(match(ParentBaseFileName, "(?i)java|activemq") AND match(FileName, "(?i)cmd\.exe|powershell\.exe|bash|sh|wget|curl|nc|ncat|python"), true(), false())
| eval payload_ioc=if(match(CommandLine, "(?i)ClassPathXmlApplicationContext|classInfo|ExceptionResponse|base64|/tmp/|%TEMP%"), true(), false())
| where activemq_port=true() OR suspicious_child=true() OR payload_ioc=true()
| eval attack_signal=case(suspicious_child=true() AND (activemq_port=true() OR payload_ioc=true()), "high_confidence_exploit", suspicious_child=true(), "suspicious_child_process", payload_ioc=true(), "malicious_payload", activemq_port=true(), "port_probe", true(), "unknown")
| stats count() AS event_count, values(RemoteIP) AS remote_ips, values(CommandLine) AS commands, values(attack_signal) AS signals BY ComputerName, UserName, ParentBaseFileName, FileName
| where event_count >= 1
| sort -event_count

CrowdStrike Falcon LogScale query detecting CVE-2026-34197 exploitation through network connections to ActiveMQ service ports, suspicious child process spawning from Java/ActiveMQ parent processes, and malicious payload indicators in command-line arguments.

critical severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon Network Detection CrowdStrike Falcon Identity Protection

Required Tables

NetworkConnectIP4 NetworkConnectIP6 ProcessRollup2

False Positives

Authorized ActiveMQ management operations that use Java utilities or shell scripts
Red team or authorized penetration testing activities targeting ActiveMQ infrastructure
Legitimate application middleware spawning scripts from Java-based ActiveMQ consumers
Monitoring agents that use curl or wget to poll the ActiveMQ REST API for health status

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2026-34197 Apache ActiveMQ Improper Input Validation (CVE-2026-34197)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2026-34197

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox