add ESQL_priv. to keep

terrancedejesus · terrancedejesus · commit 9aa9adf25306 · 2025-11-23T22:56:01.000-05:00
diff --git a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml
@@ -221,7 +221,7 @@ FROM logs-aws.cloudtrail*, logs-endpoint.* METADATA _id, _version, _index
         Esql.aws_cloudtrail_first_event_ts
       ) <= 5
 | SORT Esql.aws_cloudtrail_first_event_ts ASC
-| KEEP Esql.*
+| KEEP Esql.*, Esql_priv.*
 '''
 
 
