hi, I'm trying to simulate a basic EQL query via the dev tools.
Some data
POST _bulk
{ "index" : { "_index" : "win_test", "_id" : "1" } }
{ "@timestamp": "2020-11-12T02:00:00Z", "host_name" : "myhost1" , "event": {"code" : "4720", "type": "create", "kind": "account_manipulate"}, "winlog": {"event_data": {"TargetUserName": "userA"}}}
{ "index" : { "_index" : "win_test", "_id" : "2" } }
{ "@timestamp": "2020-11-12T02:02:00Z", "host_name" : "myhost1" , "event": {"code" : "4726", "type": "delete", "kind": "account_manipulate"}, "winlog": {"event_data": {"TargetUserName": "userA"}}}
Looks good
GET win_test/_search
Now Trying a basic EQL
GET /win_test/_eql/search
{
"event_category_field": "event.kind",
"query": """
event where event.code == "4720"
"""
}
GET /win_test/_eql/search
{
"event_category_field": "event.kind",
"query": """
sequence by winlog.event_data.TargetUserName
[ event where event.code == "4720" ]
[ event where event.code == "4726" ]
"""
}
Both the EQL doesn't work. Any idea what is wrong with these?