Event Query Language

eql logo

EQL is a language that can match events, generate sequences, stack data, build aggregations, and perform analysis. EQL is schemaless and supports multiple database backends. It supports field lookups, boolean logic, comparisons, wildcard matching, and function calls. EQL also has a preprocessor that can perform parse and translation time evaluation, allowing for easily sharable components between queries.

Note

This documentation is about EQL for Elastic Endgame. Several syntax changes were made in Elasticsearch to bring Event Query Language to the Elastic Stack. The existing Python EQL implementation remains unchanged, but please keep the below differences in mind when switching between the two different versions of EQL.

In the Elastic Stack:

  • Most operators are now case-sensitive. For example, process_name == "cmd.exe" is no longer equivalent to process_name == "Cmd.exe".
  • Functions are now case-sensitive. To use the case-insensitive variant, use ~, such as endsWith~(process_name, ".exe").
  • For case-insensitive equality comparisons, use the : operator. For example, process_name : "cmd.exe" is equivalent to process_name : "Cmd.exe".
  • For case-insensitive wildcard comparisons, use the : operator. Both * and ? are recognized wildcard characters. (7.11+)
  • The == and != operators no longer expand wildcard characters. For example, process_name == "cmd*.exe" now interprets * as a literal asterisk, not a wildcard.
  • For wildcard matching, use the like keyword when case-sensitive, and like~ when case-insensitive. The : operator is equivalent to like~. (7.12+)
  • For regular expression matching, use regex or regex~. (7.12+)
  • = can no longer be substituted for the == operator.
  • ' strings are no longer supported. Use """ or " to represent strings.
  • ?" and ?' no longer indicate raw strings. Use the """...""" syntax instead.

For more details, see the limitations section of the Elasticsearch EQL documentation.

Getting Started

The EQL module current supports Python 2.7 and 3.5+. Assuming a supported Python version is installed, run the command:

$ pip install eql

If Python is configured and already in the PATH, then eql will be readily available, and can be checked by running the command:

$ eql --version
eql 0.9

From there, try a sample json file and test it with EQL.

$ eql query -f example.json "process where process_name == 'explorer.exe'"

{"command_line": "C:\\Windows\\Explorer.EXE", "event_type": "process", "md5": "ac4c51eb24aa95b77f705ab159189e24", "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "subtype": "create", "timestamp": 131485997150000000, "user": "research\\researcher", "user_domain": "research", "user_name": "researcher"}

Next Steps

License

Check the license