Hello I have been having the same issue with 7.14.1 while in 7.13, same rules with same logs work just fine and the alert is triggered.
It is no crazy query just event.code:"1116" which is for defender that a malware is found.
I can verify that i see it in my winlogbeat logs but the alert even though in monitoring says it is run, there are no alerts triggered.
This is a custom rule, the default ones work just fine.
Did you check if there is any delay in receiving logs in ELK. If at the level of the Schedule rule you have Run every 5 and in additional look-back time = 1 then the rules will be applied only to the events received during the last 6 min
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.