Problem with EQL queries

Yenii_Ceri · September 28, 2020, 11:22pm

Hey

I have an issue with EQL queries on Elasticsearch.
I have a basic ES license with xpack enabled, in addition to some Winlogbeat indexes with ECS syntax.
However, I don't get any hit when I execute some EQL queries such as:

GET /winlogbeat-*/_eql/search
{
  "query": """
    process where process.name == "cmd.exe"
  """
}

However, I do have in my winlogbeat indexes events of process creation with "cmd.exe."
This is just an example, and I tested many other EQL queries but with no results.
I wonder if EQL requires some specific configuration in Elasticsearch or regarding the index template.

I really appreciate any help you can provide.

system · October 26, 2020, 11:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using eql to query for custom log Elasticsearch eql-elastic-query-language	2	527	March 23, 2022
What is the point of using EQL to correlate log? Elasticsearch eql-elastic-query-language	2	619	February 15, 2022
Elastic Query for alerts Windows Elasticsearch	1	316	February 1, 2022
EQL: Why basic query is different from dataset SIEM	6	565	November 12, 2020
Winlogbeat y X+ Pack Autenticacion Elastic en Español elastic-stack-security , beats-module	2	684	December 2, 2019

Problem with EQL queries

Related Topics