I have noticed that the EQL Backend does not support the usage of state variables to change the index used in the SIEM Rule. However ESQL does allow for that.
I have built a dirty hack around this, since I don't 100% understand the logic of how it should be used.
It works, but I am sure there is a better way
I have noticed that the EQL Backend does not support the usage of state variables to change the index used in the SIEM Rule. However ESQL does allow for that.
I have built a dirty hack around this, since I don't 100% understand the logic of how it should be used. It works, but I am sure there is a better way