Elastic Agent config requirements for "Hosts File Modified" rule

Hello,

I'm testing how some Elastic Security rules work with Beats versus Agents. I was curious about the integration requirements for the "Hosts File Modified" rule (link).

Per the setup section for the "Hosts File Modified" rule, I added the path "C:\Windows\System32\drivers\etc" to auditbeat.yml in the file_integrity module section. After restarting Auditbeat on my Windows machine, edits to the hosts file cause the rule conditions to be met and I see alerts appear for this rule.

I set up another Windows machine with an Elastic Agent that has both of the required integrations listed for the "Hosts File Modified" rule (Elastic Defend, Windows). My Agent appears in Fleet as being healthy and I'm seeing data from the Agent on the Discover page. However, editing the hosts file on this machine doesn't appear to trigger the rule, and I don't see a corresponding doc under the "logs-*" index pattern via the Discover page.

I tried adding the "File Integrity Monitoring" integration for the Agent and added the path ("C:\Windows\System32\drivers\etc") to the integration settings. After this, I see the docs for the file change on the Discover page under the "logs-*" index pattern, but again, the rule isn't triggered (although this seems expected as the doc is an "logs-fim.*" index which isn't included as a index pattern for this rule).

Am I missing something with how the Elastic Defend and Windows integrations need to be configured to make the default "Hosts File Modified" rule work for Agents?

Thanks!