/eql

Primary LanguagePythonOtherNOASSERTION

Event Query Language

PyPI Build Documentation License: AGPL v3

What is EQL? Browse a library of EQL analytics

Now in Elasticsearch!

Since Endgame joined forced with Elastic, EQL is now natively integrated in Elasticsearch! See the Elasticsearch EQL documentation for more information. Also, please note that we have made a few changes to EQL in Elasticsearch to accomodate non-security users. Those are best summarized here.

Getting Started

The EQL module current supports Python 2.7 and 3.5+. Assuming a supported Python version is installed, run the command:

$ pip install eql

If Python is configured and already in the PATH, then eql will be readily available, and can be checked by running the command:

$ eql --version
eql 0.9

From there, try a sample json file and test it with EQL.

$ eql query -f example.json "process where process_name == 'explorer.exe'"
{"command_line": "C:\\Windows\\Explorer.EXE", "event_type": "process", "md5": "ac4c51eb24aa95b77f705ab159189e24", "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "subtype": "create", "timestamp": 131485997150000000, "user": "research\\researcher", "user_domain": "research", "user_name": "researcher"}

Next Steps