I know this is going to be simple but it's just not coming to me at all today.
GET /logs-*/_eql/search
{
"query": """
winlog where winlog.event_id == "4625" and stringContains(message, "The specified account's password has expired")
"""
}
Pretty simple really. How to search for an event ID with a particular message so I can set up an alert for it. Not seeing any of the fields in ECS so the examples are making me scratch my head.