# Threat Hunting with EQL

In [7]:
# style the notebook
from IPython.core.display import HTML
import urllib.request
# this link is to my Kalman filter book CSS file.
response = urllib.request.urlopen('https://raw.githubusercontent.com/joswr1ght/eql-notebook/master/css/main.css')
HTML(response.read().decode("utf-8"))

# ![EQL Logo](images/eql.png)

## What is EQL?
### Event Query Language by Russ Wolf and Carl Rutherford
### Standardized query language (like SQL) to evaluate Windows events
### Used for threat hunting, IR, red teaming, and more!

> EQL reads from Sysmon and other log sources, normalizes the data, and provides a syntax to interrogate the data

---

EQL is the Event Query Language, a project by Russ Wolf and Carl Rutherford. EQL is a query language (similar but not syntactically matching SQL) that allows you to query Windows host data in JSON format to portably evaluate events of interest. EQL can be used for threat hunting with simple queries to detect events that match attack techniques such as those described in the [MITRE Cyber Analytics Repository (CAR)](https://car.mitre.org/).

## Why Do We Need EQL?

![EQL Query - whoami](images/eql-whoami.jpg)

---

Data used to detect threats or compromises on Windows systems is a mess. Many different data source types, different fields in varying sources, different data structures, different data formats. To use the different data sources effectively, you have to memorize many different data struture format and apply complex logic to cross-reference dara sources.

EQL brings those data format together into a single source. Using EQL you can write queries that are _portable_, simple, and lightly abstracted so you can focus on finding bad guys instead of worrying about syntax.


## EQL Basics

### Schema

EQL queries start with a _schema_ and add _conditional operators_ to retrieve data that is interesting to the analyst. Schemas are standard and consistent in EQL, currently one of:

+ 

## Hunting Techniques

### Long Command Lines

In [3]:
!eql query -f data/sysmon-converted.json 'process where length(command_line) > 200 \
        and not process_name in ("chrome.exe", "ngen.exe")' \
        | jq "{process_name,parent_process_name,command_line}"

[1;39m{
  [0m[34;1m"process_name"[0m[1;39m: [0m[0;32m"slui.exe"[0m[1;39m,
  [0m[34;1m"parent_process_name"[0m[1;39m: [0m[0;32m"SppExtComObj.Exe"[0m[1;39m,
  [0m[34;1m"command_line"[0m[1;39m: [0m[0;32m"\"C:\\WINDOWS\\System32\\SLUI.exe\" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2ffd8952-423e-4903-b993-72a1aa44cf82;NotificationInterval=1440;Trigger=TimerEvent"[0m[1;39m
[1;39m}[0m
[1;39m{
  [0m[34;1m"process_name"[0m[1;39m: [0m[0;32m"software_reporter_tool.exe"[0m[1;39m,
  [0m[34;1m"parent_process_name"[0m[1;39m: [0m[0;32m"chrome.exe"[0m[1;39m,
  [0m[34;1m"command_line"[0m[1;39m: [0m[0;32m"\"C:\\Users\\Sec504\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\31.163.203\\software_reporter_tool.exe\" --session-id=+zGJZuAkD4oM6iUjX9Nkb6cQJ0tVJEOwKezvmUiA --registry-suffix=URZA --srt-field-trial-group-name=NewCleanerUIExperiment"[0m[1;39m
[1;39m}[0m
[1