Parser

eql.get_preprocessor(text, implied_any=False, subqueries=None, preprocessor=None)[source]

Parse EQL definitions and get a PreProcessor.

Parameters:
  • text (str) – EQL source to parse
  • preprocessor (PreProcessor) – Use an existing EQL preprocessor while parsing definitions
  • implied_any (bool) – Allow for event queries to match on any event type when a type is not specified. If enabled, the query process_name == "cmd.exe" becomes any where process_name == "cmd.exe"
  • subqueries (bool) – Toggle support for subqueries, which are required by descendant of, child of and event of
Return type:

PreProcessor
eql.parse_definitions(text, preprocessor=None, implied_any=False, subqueries=True)[source]

Parse EQL preprocessor definitions from source.

Parameters:
  • text (str) – EQL source to parse
  • preprocessor (PreProcessor) – Use an EQL preprocessor to expand definitions and constants while parsing
  • implied_any (bool) – Allow for event queries to match on any event type when a type is not specified. If enabled, the query process_name == "cmd.exe" becomes any where process_name == "cmd.exe"
  • subqueries (bool) – Toggle support for subqueries, which are required by sequence, join, descendant of, child of and event of
Return type:

list[Definition]
eql.parse_expression(text, implied_any=False, preprocessor=None, subqueries=True)[source]

Parse an EQL expression and return the AST.

Parameters:
  • text (str) – EQL source text to parse
  • implied_any (bool) – Allow for event queries to match on any event type when a type is not specified. If enabled, the query process_name == "cmd.exe" becomes any where process_name == "cmd.exe"
  • subqueries (bool) – Toggle support for subqueries, which are required by sequence, join, descendant of, child of and event of
  • preprocessor (PreProcessor) – Optional preprocessor to expand definitions and constants
Return type:

Expression
eql.parse_query(text, implied_any=False, implied_base=False, preprocessor=None, subqueries=True, pipes=True, cli=False)[source]

Parse a full EQL query with pipes.

Parameters:
  • text (str) – EQL source text to parse
  • implied_any (bool) – Allow for event queries to match on any event type when a type is not specified. If enabled, the query process_name == "cmd.exe" becomes any where process_name == "cmd.exe"
  • implied_base (bool) – Allow for queries to be built with only pipes. Base query becomes ‘any where true’
  • subqueries (bool) – Toggle support for subqueries, which are required by sequence, join, descendant of, child of and event of
  • pipes (bool) – Toggle support for pipes
  • preprocessor (PreProcessor) – Optional preprocessor to expand definitions and constants
Return type:

PipedQuery
eql.parse_analytic(analytic_info, preprocessor=None, **kwargs)[source]

Parse an EQL analytic from a dictionary with metadata.

Parameters:
  • analytic_info (dict) – EQL dictionary with metadata and a query to convert to an analytic.
  • preprocessor (PreProcessor) – Optional preprocessor to expand definitions and constants
  • kwargs – Additional arguments to pass to parse_query()
Return type:

EqlAnalytic
eql.parse_analytics(analytics, preprocessor=None, **kwargs)[source]

Parse EQL analytics from a list of dictionaries.

Parameters:
  • analytics (list[dict]) – EQL dictionary with metadata to convert to an analytic.
  • preprocessor (PreProcessor) – Optional preprocessor to expand definitions and constants
  • kwargs – Additional arguments to pass to parse_query()
Return type:

list[EqlAnalytic]