No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs Update EQL 0.6.2 with .jsonl fixes Dec 13, 2018
eql Update EQL 0.6.2 with .jsonl fixes Dec 13, 2018
tests Update EQL 0.6.2 with .jsonl fixes Dec 13, 2018
.gitignore Initial commit Nov 30, 2018
LICENSE Initial commit Nov 30, 2018
MANIFEST.in Initial commit Nov 30, 2018
Makefile Initial commit Nov 30, 2018
README.md Update EQL 0.6.2 with .jsonl fixes Dec 13, 2018
requirements.txt Initial commit Nov 30, 2018
requirements_test.txt Initial commit Nov 30, 2018
setup.cfg Initial commit Nov 30, 2018
setup.py Initial commit Nov 30, 2018

README.md

Event Query Language

See https://eql.readthedocs.io for documentation

Browse a library of EQL analytics

Getting Started

The EQL module current supports Python 2.7 and 3.5+. Assuming a supported Python version is installed, run the command:

$ pip install eql

If Python is configured and already in the PATH, then eql will be readily available, and can be checked by running the command:

$ eql --version
eql 0.6.2

From there, try a sample json file and test it with EQL.

$ eql query -f example.json "process where process_name == 'explorer.exe'"
{"command_line": "C:\\Windows\\Explorer.EXE", "event_subtype_full": "already_running", "event_type_full": "process_event", "md5": "ac4c51eb24aa95b77f705ab159189e24", "opcode": 3, "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "serial_event_id": 34, "timestamp": 131485997150000000, "unique_pid": 34, "unique_ppid": 0, "user_domain": "research", "user_name": "researcher"}

Next Steps