Browse a library of EQL analytics
Since Endgame joined forced with Elastic, EQL is now natively integrated in Elasticsearch! See the Elasticsearch EQL documentation for more information. Also, please note that we have made a few changes to EQL in Elasticsearch to accomodate non-security users. Those are best summarized here.
The EQL module current supports Python 2.7 and 3.5+. Assuming a supported Python version is installed, run the command:
If Python is configured and already in the PATH, then eql will be readily available, and can be checked by running the command:
From there, try a sample json file and test it with EQL.
$ eql query -f example.json "process where process_name == 'explorer.exe'"
{"command_line": "C:\\Windows\\Explorer.EXE", "event_type": "process", "md5": "ac4c51eb24aa95b77f705ab159189e24", "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "subtype": "create", "timestamp": 131485997150000000, "user": "research\\researcher", "user_domain": "research", "user_name": "researcher"}
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4