Which SIEM platforms have a CVE-2026-44179 detection rule?

df00tech provides CVE-2026-44179 (CVE-2026-44179: XWiki Pro Macros RCE via Excerpt-Include Macro) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect CVE-2026-44179: XWiki Pro Macros RCE via Excerpt-Include Macro (CVE-2026-44179)?

Detecting CVE-2026-44179: XWiki Pro Macros RCE via Excerpt-Include Macro requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents.

What severity and confidence is the CVE-2026-44179 detection?

The CVE-2026-44179 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2026-44179?

Common false positives for CVE-2026-44179 include: Legitimate XWiki administrative scripts that spawn shell processes for maintenance tasks; Authorized penetration testing or red team exercises targeting XWiki instances; Java application servers running on the same host that spawn shell processes for unrelated reasons.

CVE-2026-44179: CVE-2026-44179: XWiki Pro Macros RCE via Excerpt-Include Macro — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

union DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents
| where TimeGenerated >= ago(24h)
| where (
    (ActionType == "ProcessCreated" and InitiatingProcessParentFileName has_any ("java", "xwiki") and FileName in~ ("bash", "sh", "cmd.exe", "powershell.exe", "whoami", "id", "curl", "wget", "nc", "ncat"))
    or
    (ActionType == "NetworkConnectionSuccess" and InitiatingProcessParentFileName has_any ("java", "xwiki") and RemotePort in (4444, 1337, 9001, 8888))
    or
    (ActionType == "FileCreated" and InitiatingProcessFileName has_any ("java") and FolderPath has_any ("/xwiki", "xwiki-data", "XWiki"))
)
| extend RiskIndicator = case(
    ActionType == "ProcessCreated" and FileName in~ ("bash", "sh", "cmd.exe", "powershell.exe"), "Shell spawned from Java/XWiki process",
    ActionType == "NetworkConnectionSuccess" and RemotePort in (4444, 1337, 9001, 8888), "Reverse shell outbound connection from XWiki JVM",
    ActionType == "FileCreated" and FolderPath has_any ("/xwiki", "xwiki-data"), "File written by XWiki JVM process",
    "Suspicious XWiki JVM activity"
)
| project TimeGenerated, DeviceName, ActionType, FileName, FolderPath, RemoteIP, RemotePort, InitiatingProcessParentFileName, InitiatingProcessCommandLine, RiskIndicator
| order by TimeGenerated desc

Detects suspicious process spawning, outbound network connections, and file creation events originating from Java/XWiki processes, which may indicate RCE exploitation via CVE-2026-44179 excerpt-include macro injection.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents

Required Tables

DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents

False Positives

Legitimate XWiki administrative scripts that spawn shell processes for maintenance tasks
Authorized penetration testing or red team exercises targeting XWiki instances
Java application servers running on the same host that spawn shell processes for unrelated reasons
Automated backup or deployment scripts executed in the context of the XWiki JVM

Splunk

spl

index=* sourcetype IN ("linux_audit", "wineventlog", "sysmon", "osquery", "crowdstrike:events:sensor")
| eval is_xwiki_parent = if(match(parent_process_name, "(?i)(java|xwiki)") OR match(ParentProcessName, "(?i)(java|xwiki)"), 1, 0)
| eval suspicious_child = if(match(process_name, "(?i)(bash|sh|cmd\.exe|powershell\.exe|whoami|id|curl|wget|nc|ncat|python|perl|ruby)") OR match(ProcessName, "(?i)(bash|sh|cmd\.exe|powershell\.exe|whoami|id|curl|wget|nc|ncat)"), 1, 0)
| eval reverse_shell_port = if(dest_port IN ("4444", "1337", "9001", "8888", "443", "80") AND (match(process_name, "(?i)java") OR match(app, "(?i)xwiki")), 1, 0)
| eval xwiki_file_write = if(match(file_path, "(?i)(xwiki|xwiki-data|XWikiStore)") AND match(process_name, "(?i)java"), 1, 0)
| where is_xwiki_parent=1 AND (suspicious_child=1 OR reverse_shell_port=1 OR xwiki_file_write=1)
| eval risk_score = case(
    suspicious_child=1 AND is_xwiki_parent=1, 90,
    reverse_shell_port=1, 80,
    xwiki_file_write=1, 60,
    true(), 50
  )
| eval risk_indicator = case(
    suspicious_child=1, "Shell or interpreter spawned from XWiki/Java process",
    reverse_shell_port=1, "Outbound connection on high-risk port from XWiki JVM",
    xwiki_file_write=1, "File written to XWiki directory by Java process",
    true(), "Suspicious XWiki JVM activity"
  )
| table _time, host, user, process_name, parent_process_name, command_line, dest, dest_port, file_path, risk_score, risk_indicator
| sort -risk_score

Identifies process execution anomalies, outbound connections, and file write events from Java/XWiki processes consistent with RCE exploitation of CVE-2026-44179 via crafted excerpt-include macro payloads.

critical severity medium confidence

Data Sources

Linux Audit Windows Event Log Sysmon CrowdStrike Falcon osquery

Required Sourcetypes

linux_audit wineventlog sysmon osquery crowdstrike:events:sensor

False Positives

XWiki plugins or extensions that legitimately invoke shell commands for document conversion or indexing
Authorized security scanning tools running as the xwiki service user
Java-based monitoring agents that establish outbound connections from the same host
Scheduled maintenance jobs that write temporary files to XWiki data directories

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start"
    and (process.parent.name : ("java", "java.exe") or process.parent.executable : ("*/xwiki/*", "*\\xwiki\\*"))
    and process.name : ("bash", "sh", "dash", "zsh", "cmd.exe", "powershell.exe", "whoami", "id", "curl", "wget", "nc", "ncat", "python*", "perl", "ruby")
  ] by process.parent.pid
  [any where event.category : ("network", "file")
    and (
      (event.category == "network" and destination.port in (4444, 1337, 9001, 8888) and network.direction == "egress")
      or
      (event.category == "file" and event.type == "creation" and file.path : ("*/xwiki-data/*", "*/XWiki/*", "*xwiki*"))
    )
  ] by process.pid

EQL sequence rule correlating suspicious child process spawning from XWiki JVM with subsequent network or file activity, strongly indicative of CVE-2026-44179 exploitation via Groovy/Velocity SSTI through the excerpt-include macro.

critical severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent Auditbeat Winlogbeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-*

False Positives

Legitimate XWiki macros that call external processes for PDF rendering or office document conversion
Java application management scripts that run alongside XWiki on the same host
Security agents that spawn child processes from the Java service account
Build or CI/CD processes that briefly run commands under the xwiki user

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  destinationip,
  destinationport,
  username,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Parent Process Name" AS parent_process_name,
  "Command Line" AS command_line,
  magnitude
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Microsoft Windows', 'Sysmon', 'CrowdStrike Falcon')
  AND (
    (
      ("Parent Process Name" ILIKE '%java%' OR "Parent Process Name" ILIKE '%xwiki%')
      AND "Process Name" ILIKE ANY ('%bash%', '%/sh%', '%cmd.exe%', '%powershell%', '%whoami%', '%wget%', '%curl%', '%nc%')
    )
    OR
    (
      (logsourcename(logsourceid) ILIKE '%xwiki%' OR username ILIKE '%xwiki%')
      AND destinationport IN (4444, 1337, 9001, 8888)
      AND category = 1002
    )
  )
  AND starttime > NOW() - 24 HOURS
ORDER BY magnitude DESC
LIMIT 200

QRadar AQL query to surface process execution and network connection events from Java/XWiki processes consistent with remote code execution exploitation of CVE-2026-44179.

critical severity medium confidence

Data Sources

QRadar SIEM Linux OS log source Windows Security Sysmon CrowdStrike Falcon

Required Tables

events

False Positives

XWiki-integrated document processing tools that invoke command-line utilities
Monitoring agents polling the xwiki service and generating outbound connections
Automated provisioning scripts running under the xwiki OS account
Network scanners or vulnerability assessment tools running from the XWiki host

Sumo Logic CSE

sql

_sourceCategory=* ("java" OR "xwiki")
| parse regex field=_raw "(?<parent_process>java|xwiki)[^\n]*?(?<child_process>bash|sh|cmd\.exe|powershell\.exe|whoami|id|curl|wget|nc|ncat|python|perl)" nodrop
| parse regex field=_raw "(?<dest_port>4444|1337|9001|8888)" nodrop
| parse regex field=_raw "(?<xwiki_path>xwiki-data|XWikiStore|xwiki/data)[^\s]*" nodrop
| where !isNull(child_process) OR !isNull(dest_port) OR !isNull(xwiki_path)
| eval risk_indicator = if(!isNull(child_process), "Shell spawned from XWiki JVM: " + child_process,
    if(!isNull(dest_port), "Outbound connection on port " + dest_port + " from XWiki context",
    "XWiki data path access: " + xwiki_path))
| eval severity = if(!isNull(child_process), "CRITICAL",
    if(!isNull(dest_port), "HIGH", "MEDIUM"))
| count by _sourceHost, risk_indicator, severity
| sort by severity, _count desc

Sumo Logic query detecting indicators of RCE exploitation in XWiki Pro Macros (CVE-2026-44179) by identifying shell process spawning, suspicious outbound connections, and XWiki data path access from Java processes.

critical severity medium confidence

Data Sources

Sumo Logic Installed Collector Linux System Logs Windows Event Logs Application Logs

Required Tables

_sourceCategory

False Positives

Legitimate administrative macros in XWiki that use shell execution for maintenance
XWiki extensions with approved outbound network calls to monitoring endpoints
Data migration scripts that write directly to xwiki-data during scheduled windows
Developer environments where XWiki is tested with custom Groovy scripts

Google Chronicle / SecOps

yaral

rule xwiki_pro_macros_rce_cve_2026_44179 {
  meta:
    author = "df00tech detection engineering"
    description = "Detects RCE exploitation of CVE-2026-44179 in xwiki-pro-macros via excerpt-include macro SSTI"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-w56x-9778-rppx"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059"

  events:
    (
      $proc.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($proc.principal.process.file.full_path, `(?i)(java|xwiki)`)
      and re.regex($proc.target.process.file.full_path, `(?i)(bash|/sh|dash|zsh|cmd\.exe|powershell\.exe|whoami|wget|curl|ncat|nc\.exe|python)`)
    )
    or
    (
      $proc.metadata.event_type = "NETWORK_CONNECTION"
      and re.regex($proc.principal.process.file.full_path, `(?i)(java|xwiki)`)
      and $proc.target.port in (4444, 1337, 9001, 8888)
      and $proc.network.direction = "OUTBOUND"
    )

  condition:
    $proc
}

Chronicle YARA-L rule detecting process launch and network connection events from Java/XWiki processes consistent with RCE exploitation via the excerpt-include macro vulnerability CVE-2026-44179.

critical severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model Endpoint telemetry Network telemetry

Required Tables

UDM Events

False Positives

Authorized XWiki customizations using Groovy scripting that invoke system commands for approved purposes
Java-based application monitoring agents co-located with XWiki on the same host
Outbound connections from the XWiki JVM to approved integration endpoints on non-standard ports
Security tooling running under the xwiki service account

CrowdStrike LogScale (CQL)

cql

#repo=base_activities
| event_type=ProcessRollup2
| ParentBaseFileName in ("java", "java.exe")
| ImageFileName in ("bash", "sh", "dash", "zsh", "cmd.exe", "powershell.exe", "whoami", "id", "curl", "wget", "nc", "ncat", "python3", "python", "perl")
| CommandLine != null
| eval risk = "CVE-2026-44179: Shell spawned from Java/XWiki process"
| select timestamp, ComputerName, UserName, ParentBaseFileName, ParentCommandLine, ImageFileName, CommandLine, risk
| sort timestamp desc
| limit 500

// Alternative network-based pivot:
// #repo=base_activities event_type=NetworkConnectIP4
// | RemotePort in [4444, 1337, 9001, 8888]
// | LocalAddressIP4 != "127.0.0.1"
// | LocalPort > 1024
// | [search process_name in ("java", "java.exe")]
// | select timestamp, ComputerName, UserName, LocalAddressIP4, RemoteAddressIP4, RemotePort

CrowdStrike Falcon Logscale CQL query to identify shell processes spawned from Java (XWiki JVM) and suspicious outbound network connections indicative of CVE-2026-44179 exploitation through malicious excerpt-include macro payloads.

critical severity high confidence

Data Sources

CrowdStrike Falcon Sensor CrowdStrike Logscale Endpoint Detection and Response

Required Tables

base_activities

False Positives

XWiki export or import scripts that call external command-line utilities
Java management extensions (JMX) tools spawning diagnostic processes on the host
CI/CD pipelines running integration tests against XWiki where commands are expected
Legitimate administrator use of XWiki Groovy scripting console for approved operations

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2026-44179 CVE-2026-44179: XWiki Pro Macros RCE via Excerpt-Include Macro?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2026-44179

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox