Abstract Syntax Tree

EQL syntax tree nodes/schema.

class eql.ast.BaseNode[source]

This is the base class for all AST nodes.

render(precedence=None)[source]

Render the AST in the target language.

class eql.ast.EqlNode[source]

The base class for all nodes within the event query language.

class eql.ast.Walker[source]

Base class that provides functionality for walking abstract syntax trees of eql.BaseNode.

active_node

Get the active context.

classmethod camelized(node_cls)[source]

Get the camelized name for the class.

current_event_type

Get the active event type while walking.

get_node_method(node_cls, prefix)[source]

Get the walk method for a node.

iter_node(node)[source]

Iterate through a syntax tree.

parent_node

Get the parent context.

register_func(node_cls, func, prefix='_walk_')[source]

Register a callback function.

set_context(**kwds)[source]

Push a node onto the context stack.

walk(node, *args, **kwargs)[source]

Walk the syntax tree top-down.

class eql.walkers.RecursiveWalker[source]

Walker that will recursively walk and transform a tree.

class eql.walkers.DepthFirstWalker[source]

Walk an AST bottom up.

class eql.ast.Expression[source]

Base class for expressions.

class eql.ast.Literal(value)[source]

Static value.

class eql.ast.TimeRange(delta)[source]

EQL node for an interval of time.

class eql.ast.Field(base, path=None)[source]

Variables and paths in scope of the event.

class eql.ast.Comparison(left, comparator, right)[source]

Represents a comparison between two values, as in <expr> <comparator> <expr>.

Comparison operators include ==, !=, <, <=, >=, and >.

class eql.ast.InSet(expression, container)[source]

Check if the value of a field within an event matches a list of values.

class eql.ast.And(terms)[source]

Perform a boolean and on a list of expressions.

class eql.ast.Or(terms)[source]

Perform a boolean or on a list of expressions.

class eql.ast.Not(term)[source]

Negate a boolean expression.

class eql.ast.FunctionCall(name, arguments)[source]

A call into a user-defined function by name and a list of arguments.

class eql.ast.EventQuery(event_type, query)[source]

Query over a specific event type with a boolean condition.

class eql.ast.NamedSubquery(query_type, query)[source]

Named of queries perform a subquery with a specific type and returns true if the current event is related.

Query Types: - descendant: Returns true if the pid/unique_pid of the event is a descendant of the subquery process - child: Returns true if the pid/unique_pid of the event is a child of the subquery process - event: Returns true if the pid/unique_pid of the event matches the subquery process

class eql.ast.NamedParams(kv=None)[source]

An EQL node for key-value named parameters.

class eql.ast.SubqueryBy(query, params=None, join_values=None)[source]

Node for holding the EventQuery and parameters to join on.

class eql.ast.Join(queries, close=None)[source]

Another boolean query that can join multiple events that share common values.

class eql.ast.Sequence(queries, params=None, close=None)[source]

Sequence is very similar to join, but enforces an ordering.

Sequence supports the until keyword, which indicates an event that causes it to terminate early.

class eql.ast.PipeCommand(arguments=None)[source]

Base class for an EQL pipe.

class eql.pipes.ByPipe(arguments=None)[source]

Pipe that takes a value (field, function, etc.) as a key.

class eql.pipes.HeadPipe(arguments=None)[source]

Node representing the head pipe, analogous to the unix head command.

class eql.pipes.TailPipe(arguments=None)[source]

Node representing the tail pipe, analogous to the unix tail command.

class eql.pipes.SortPipe(arguments=None)[source]

Sorts the pipes by field comparisons.

class eql.pipes.UniquePipe(arguments=None)[source]

Filters events on a per-field basis, and only outputs the first event seen for a field.

class eql.pipes.CountPipe(arguments=None)[source]

Counts number of events that match a field, or total number of events if none specified.

class eql.pipes.FilterPipe(arguments=None)[source]

Takes data coming into an existing pipe and filters it further.

class eql.pipes.UniqueCountPipe(arguments=None)[source]

Returns unique results but adds a count field.

class eql.ast.PipedQuery(first, pipes=None)[source]

List of all the pipes.

class eql.ast.EqlAnalytic(query, metadata=None)[source]

Analytics are the top-level nodes for matching and returning events.

id

Return the ID from metadata.

name

Return the name from metadata.