Hey @Kiwisaki,
There's a recent post discussing how rule scheduling works with EQL's maxspan key; you may find your answer there. If your query works elsewhere, then it's possible that the rule cannot "see" the full sequence of events due to how it's configured. If you're able to share the rule configuration, we could make that determination.
Another common issue that could be in play here is ingestion delay. If e.g. your events are taking 4 minutes to become searchable in elasticsearch, then most of the events won't be available when your rule looks at the last 5 minutes of data (they would later be available in Discover, though).