Hello,
My problem is quite simple but I can't find the solution.
I'm using Python to make GET calls on index using EQL.
I would like to make this search only on the 5 past minutes logs. How can I do it ? Specify something in the URL ? In the query ?
Here is my code :
header = {'Content-Type': 'application/json'}
data = '{"query": "sequence by host.name,source.ip with maxspan=15s [authentication where event.outcome == \\"failure\\"] by user.name \\n[authentication where event.outcome == \\"success\\"] by user.name \\n"}'
res = requests.get("http://localhost:9200/auditbeat*/_eql/search?pretty", headers=header, data=data, auth=auth, verify=False)
Thank you !