Basic Syntax¶
Basic queries within EQL require an event type and a matching condition.
The two are connected using the where keyword.
At the most basic level, an event query has the structure:
event where condition
More specifically, an event query may resemble:
process where process_name == "svchost.exe" and command_line != "* -k *"
Conditions¶
Individual events can be matched with EQL by specifying criteria to match the fields in the event to other fields or values. Criteria can be combined with
- Boolean operators
and or not
- Value comparisons
< <= == != >= >
- Wildcard matching
name == "*some*glob*match*" name != "*some*glob*match*"
- Function calls
length(field_name) concat(user_domain, "\\", user_name) add(timestamp, 300)
- Lookups against static or dynamic values
user_name in ("Administrator", "SYSTEM", "NETWORK SERVICE") process_name in ("cmd.exe", parent_process_name)
Event Relationships¶
Relationships between events can be used for stateful tracking within the query.
If a related event exists that matches the criteria, then it is evaluated in the query as true.
Relationships can be arbitrarily nested, allowing for complex behavior and state to be tracked.
Existing relationships include child of, descendant of and event of.
- Network activity for PowerShell processes that were not spawned from explorer.exe
network where process_name == "powershell.exe" and not descendant of [process where process_name == "explorer.exe"]
- Grandchildren of the WMI Provider Service
process where child of [process where parent_process_name == "wmiprvse.exe"]
- Text file modifications by command shells with redirection
file where file_name == "*.txt" and event of [process where process_name == "cmd.exe" and command_line == "* > *"]
- Executable file modifications by children of PowerShell
file where file_name == "*.exe" and event of [ process where child of [process where process_name == "powershell.exe"] ]