Hey
I have an issue with EQL queries on Elasticsearch.
I have a basic ES license with xpack enabled, in addition to some Winlogbeat indexes with ECS syntax.
However, I don't get any hit when I execute some EQL queries such as:
GET /winlogbeat-*/_eql/search
{
"query": """
process where process.name == "cmd.exe"
"""
}
However, I do have in my winlogbeat indexes events of process creation with "cmd.exe."
This is just an example, and I tested many other EQL queries but with no results.
I wonder if EQL requires some specific configuration in Elasticsearch or regarding the index template.
I really appreciate any help you can provide.