Elasticsearch SIEM is not working, but EQL query is ok

I got some problems with my ELK running on docker. I made ssl on tls and http and tryied to make simple EQL-query:

sequence by winlog.computer_name 
[iam where event.code == "4720"] 
[iam where event.code == "4726"]

When i click on show results i see hits:

but when i'm trying to reproduce alert it's zero hits in index:

I got some warns from my Elasticsearch-container:

{"type": "server", "timestamp": "2021-10-25T12:37:33,433Z", "level": "WARN", "component": "o.e.x.s.t.n.SecurityNetty4HttpServerTransport", "cluster.name": "elastdocker-cluster", "node.name": "elastdocker-node-0", "message": "received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/, remoteAddress=/}", "cluster.uuid": "oZsivcyzROWSooXVIPzbKQ", "node.id": "KIjWJ0OjSW-lYt51cO8ViQ" }

Where is the problem? Any ideas?

This helps:

PUT /_cluster/settings
  "persistent" : {
    "xpack" : {
      "monitoring" : {
        "migration" : {
          "decommission_alerts" : "true"
  "transient" : { }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.