Basic Syntax¶
Basic queries within EQL require an event type and a matching condition.
The two are connected using the where
keyword.
At the most basic level, an event query has the structure:
event where condition
More specifically, an event query may resemble:
process where process_name == "svchost.exe" and command_line != "* -k *"
Conditions¶
Individual events can be matched with EQL by specifying criteria to match the fields in the event to other fields or values. Criteria can be combined with
- Boolean operators
and or not
- Value comparisons
< <= == != >= >
- Wildcard matching
name == "*some*glob*match*" name != "*some*glob*match*"
- Function calls
length(field_name) concat(user_domain, "\\", user_name) add(timestamp, 300)
- Lookups against static or dynamic values
user_name in ("Administrator", "SYSTEM", "NETWORK SERVICE") process_name in ("cmd.exe", parent_process_name)
Event Relationships¶
Relationships between events can be used for stateful tracking within the query.
If a related event exists that matches the criteria, then it is evaluated in the query as true
.
Relationships can be arbitrarily nested, allowing for complex behavior and state to be tracked.
Existing relationships include child of
, descendant of
and event of
.
- Network activity for PowerShell processes that were not spawned from explorer.exe
network where process_name == "powershell.exe" and not descendant of [process where process_name == "explorer.exe"]
- Grandchildren of the WMI Provider Service
process where child of [process where parent_process_name == "wmiprvse.exe"]
- Text file modifications by command shells with redirection
file where file_name == "*.txt" and event of [process where process_name == "cmd.exe" and command_line == "* > *"]
- Executable file modifications by children of PowerShell
file where file_name == "*.exe" and event of [ process where child of [process where process_name == "powershell.exe"] ]