Basic queries within EQL require an event type and a matching condition.
The two are connected using the
At the most basic level, an event query has the structure:
event where condition
More specifically, an event query may resemble:
process where process_name == "svchost.exe" and command_line != "* -k *"
Individual events can be matched with EQL by specifying criteria to match the fields in the event to other fields or values. Criteria can be combined with
- Boolean operators
and or not
- Value comparisons
< <= == != >= >
- Mathematical operations
New in version 0.8.
+ - * / %
- Wildcard matching
name == "*some*glob*match*" name != "*some*glob*match*"
- Function calls
concat(user_domain, "\\", user_name) length(command_line) > 400 add(timestamp, 300)
- Method syntax for concise function calls
command_line:length() > 400
- Lookups against static or dynamic values
New in version 0.8: Support for
user_name in ("Administrator", "SYSTEM", "NETWORK SERVICE") user_name not in ("Administrator", "SYSTEM", "NETWORK SERVICE") process_name in ("cmd.exe", parent_process_name)
Strings are represented with single quotes
' or double quotes
with special characters escaped by a single backslash. Additionally, raw strings are
represented with a leading
? character before the string, which disables escape sequences
for all characters except the quote character.
"hello world" "hello world with 'substring'" 'example \t of \n escaped \r characters' ?"String with literal 'slash' \ characters included"
Relationships between events can be used for stateful tracking within the query.
If a related event exists that matches the criteria, then it is evaluated in the query as
Relationships can be arbitrarily nested, allowing for complex behavior and state to be tracked.
Existing relationships include
descendant of and
- Network activity for PowerShell processes that were not spawned from explorer.exe
network where process_name == "powershell.exe" and not descendant of [process where process_name == "explorer.exe"]
- Grandchildren of the WMI Provider Service
process where child of [process where parent_process_name == "wmiprvse.exe"]
- Text file modifications by command shells with redirection
file where file_name == "*.txt" and event of [process where process_name == "cmd.exe" and command_line == "* > *"]
- Executable file modifications by children of PowerShell
file where file_name == "*.exe" and event of [ process where child of [process where process_name == "powershell.exe"] ]