Event Query Language¶
EQL is a language that can match events, generate sequences, stack data, build aggregations, and perform analysis. EQL is schemaless and supports multiple database backends. It supports field lookups, boolean logic, comparisons, wildcard matching, and function calls. EQL also has a preprocessor that can perform parse and translation time evaluation, allowing for easily sharable components between queries.
Note
This documentation is about EQL for Elastic Endgame. Several syntax changes were made in Elasticsearch to bring Event Query Language to the Elastic Stack. The existing Python EQL implementation remains unchanged, but please keep the below differences in mind when switching between the two different versions of EQL.
In the Elastic Stack:
- Most operators are now case-sensitive. For example,
process_name == "cmd.exe"
is no longer equivalent toprocess_name == "Cmd.exe"
. - Functions are now case-sensitive. To use the case-insensitive variant, use
~
, such asendsWith~(process_name, ".exe")
. - For case-insensitive equality comparisons, use the
:
operator. For example,process_name : "cmd.exe"
is equivalent toprocess_name : "Cmd.exe"
. - For case-insensitive wildcard comparisons, use the
:
operator. Both*
and?
are recognized wildcard characters. (7.11+) - The
==
and!=
operators no longer expand wildcard characters. For example,process_name == "cmd*.exe"
now interprets*
as a literal asterisk, not a wildcard. - For wildcard matching, use the
like
keyword when case-sensitive, andlike~
when case-insensitive. The:
operator is equivalent tolike~
. (7.12+) - For regular expression matching, use
regex
orregex~
. (7.12+) =
can no longer be substituted for the==
operator.'
strings are no longer supported. Use"""
or"
to represent strings.?"
and?'
no longer indicate raw strings. Use the"""..."""
syntax instead.
For more details, see the limitations section of the Elasticsearch EQL documentation.
Getting Started¶
The EQL module current supports Python 2.7 and 3.5+. Assuming a supported Python version is installed, run the command:
$ pip install eql
If Python is configured and already in the PATH, then eql
will be readily available, and can be checked by running the command:
$ eql --version
eql 0.9
From there, try a sample json file
and test it with EQL.
$ eql query -f example.json "process where process_name == 'explorer.exe'"
{"command_line": "C:\\Windows\\Explorer.EXE", "event_type": "process", "md5": "ac4c51eb24aa95b77f705ab159189e24", "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "subtype": "create", "timestamp": 131485997150000000, "user": "research\\researcher", "user_domain": "research", "user_name": "researcher"}
Next Steps¶
- Check out the Query Guide for a crash course on writing EQL queries
- View usage for the Interactive Shell
- Explore the API Reference for advanced usage or incorporating EQL into other projects
- Browse a library of EQL analytics