If you use patch ARMR 2.2: If the patch has been applied successfully to your rules, you should see something very similar to the following in your events log output: <14>1 2022-10-21T16:13:53.104+01:00 l-dev04 java 11183 - - CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|2.2|CVE-2022-42889 :01|Load Rule|Low|rt=Oct 21 2022 16:13:53.102 +0100 appVersion=1 dvchost=l-dev04 ruleType=patch procid=11183 securityFeature=patch outcome=success <14>1 2022-10-21T16:13:53.119+01:00 l-dev04 java 11183 - - CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|2.2|CVE-2022-42889 :02|Load Rule|Low|rt=Oct 21 2022 16:13:53.118 +0100 appVersion=1 dvchost=l-dev04 ruleType=patch procid=11183 securityFeature=patch outcome=success <14>1 2022-10-21T16:13:53.120+01:00 l-dev04 java 11183 - - CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|2.2|CVE-2022-42889 :03|Load Rule|Low|rt=Oct 21 2022 16:13:53.119 +0100 appVersion=1 dvchost=l-dev04 ruleType=patch procid=11183 securityFeature=patch outcome=success <14>1 2022-10-21T16:13:53.121+01:00 l-dev04 java 11183 - - CEF:0|ARMR:Waratek|Secure Agent|develop|Engine|Reload Rules|Low|msg=New ARMR policy has been applied rt=Oct 21 2022 16:13:53.121 +0100 dvchost=l-dev04 procid=11183 outcome=success Note the references to the patch name "APACHE COMMONS TEXT", the "Load Rule" phase and that it's been determined it is structured validly based on "outcome=success" When the patch is deemed ready to be used, you should something very similar to the following in your events log output: <14>1 2022-10-21T16:14:02.447+01:00 l-dev04 java 11183 - - CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|2.2|CVE-2022-42889 :01|Link Rule|Low|rt=Oct 21 2022 16:14:02.446 +0100 appVersion=1 dvchost=l-dev04 ruleType=patch procid=11183 securityFeature=patch outcome=success <14>1 2022-10-21T16:14:02.470+01:00 l-dev04 java 11183 - - CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|2.2|CVE-2022-42889 :03|Link Rule|Low|rt=Oct 21 2022 16:14:02.470 +0100 appVersion=1 dvchost=l-dev04 ruleType=patch procid=11183 securityFeature=patch outcome=success <14>1 2022-10-21T16:14:02.489+01:00 l-dev04 java 11183 - - CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|2.2|CVE-2022-42889 :02|Link Rule|Low|rt=Oct 21 2022 16:14:02.489 +0100 appVersion=1 dvchost=l-dev04 ruleType=patch procid=11183 securityFeature=patch outcome=success Note again the patch name and the different "Link Rule" phase also accompanied by the confirmation "outcome=success" Finally, if the patch triggers and blocks an attempted exploit of this vulnerability, you should see something very similar to the following in your events log output: <10>1 2022-10-21T16:14:02.523+01:00 l-dev04 java 11183 - - CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|2.2|CVE-2022-42889 :01|Execute Rule|High|msg=Attempt made to perform dns lookup rt=Oct 21 2022 16:14:02.517 +0100 appVersion=1 payload=l-dev04 dvchost=l-dev04 ruleType=patch procid=11183 securityFeature=patch <10>1 2022-10-21T16:14:02.525+01:00 l-dev04 java 11183 - - CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|2.2|CVE-2022-42889 :03|Execute Rule|High|msg=Attempt made to perform script lookup rt=Oct 21 2022 16:14:02.524 +0100 appVersion=1 payload=javascript:3 + 4 dvchost=l-dev04 ruleType=patch procid=11183 securityFeature=patch If you use patch ARMR 1.3, the messages to check for are below, similar to the ones above: 2022-10-21 16:18:04,878 CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|1.0|CVE-2022-42889 :03|Load Rule|Low|outcome=success procid=12312 dvchost=l-dev04 rt=Oct 21 2022 16:18:04.715 +0100 2022-10-21 16:18:04,882 CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|1.0|CVE-2022-42889 :01|Load Rule|Low|outcome=success procid=12312 dvchost=l-dev04 rt=Oct 21 2022 16:18:04.880 +0100 2022-10-21 16:18:04,885 CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|1.0|CVE-2022-42889 :02|Load Rule|Low|outcome=success procid=12312 dvchost=l-dev04 rt=Oct 21 2022 16:18:04.883 +0100 2022-10-21 16:18:04,905 INFO No global rules are in effect for JVC [jvc-1] 2022-10-21 16:18:04,905 INFO New rules have been applied for JVC [jvc-1] 2022-10-21 16:18:06,041 CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|1.0|CVE-2022-42889 :01|Link Rule|Low|outcome=success procid=12312 dvchost=l-dev04 rt=Oct 21 2022 16:18:06.040 +0100 2022-10-21 16:18:06,071 CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|1.0|CVE-2022-42889 :03|Link Rule|Low|outcome=success procid=12312 dvchost=l-dev04 rt=Oct 21 2022 16:18:06.071 +0100 2022-10-21 16:18:06,093 CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|1.0|CVE-2022-42889 :02|Link Rule|Low|outcome=success procid=12312 dvchost=l-dev04 rt=Oct 21 2022 16:18:06.093 +0100 2022-10-21 16:18:06,105 CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|1.0|CVE-2022-42889 :01|Execute Rule|High|payload=l-dev04 msg=Attempt made to perform dns lookup procid=12312 dvchost=l-dev04 rt=Oct 21 2022 16:18:06.105 +0100 2022-10-21 16:18:06,107 CEF:0|ARMR:APACHE COMMONS TEXT|APACHE COMMONS TEXT|1.0|CVE-2022-42889 :03|Execute Rule|High|payload=javascript:3 + 4 msg=Attempt made to perform script lookup procid=12312 dvchost=l-dev04 rt=Oct 21 2022 16:18:06.106 +0100