2020-01-27 16:03:23 -05:00
|
|
|
[role="xpack"]
|
|
|
|
[testenv="basic"]
|
|
|
|
[[eql]]
|
|
|
|
= EQL for event-based search
|
|
|
|
++++
|
|
|
|
<titleabbrev>EQL</titleabbrev>
|
|
|
|
++++
|
|
|
|
|
2020-06-02 11:03:12 -04:00
|
|
|
dev::[]
|
2020-01-27 16:03:23 -05:00
|
|
|
|
|
|
|
{eql-ref}/index.html[Event Query Language (EQL)] is a query language used for
|
|
|
|
logs and other event-based data.
|
|
|
|
|
|
|
|
You can use EQL in {es} to easily express relationships between events and
|
|
|
|
quickly match events with shared properties. You can use EQL and query
|
|
|
|
DSL together to better filter your searches.
|
|
|
|
|
2020-04-30 13:19:31 -04:00
|
|
|
[float]
|
|
|
|
[[eql-advantages]]
|
|
|
|
=== Advantages of EQL
|
|
|
|
|
|
|
|
* *EQL lets you express relationships between events.* +
|
|
|
|
Many query languages allow you to match only single events. EQL lets you match a
|
|
|
|
sequence of events across different event categories and time spans.
|
|
|
|
|
|
|
|
* *EQL has a low learning curve.* +
|
|
|
|
EQL syntax looks like other query languages. It lets you write and read queries
|
|
|
|
intuitively, which makes for quick, iterative searching.
|
|
|
|
|
|
|
|
* *We designed EQL for security use cases.* +
|
|
|
|
While you can use EQL for any event-based data, we created EQL for threat
|
|
|
|
hunting. EQL not only supports indicator of compromise (IOC) searching but
|
|
|
|
makes it easy to describe activity that goes beyond IOCs.
|
|
|
|
|
2020-01-27 16:03:23 -05:00
|
|
|
[float]
|
|
|
|
[[when-to-use-eql]]
|
|
|
|
=== When to use EQL
|
|
|
|
|
|
|
|
Consider using EQL if you:
|
|
|
|
|
|
|
|
* Use {es} for threat hunting or other security use cases
|
|
|
|
* Search time-series data or logs, such as network or system logs
|
|
|
|
* Want an easy way to explore relationships between events
|
|
|
|
|
|
|
|
[float]
|
|
|
|
[[eql-toc]]
|
|
|
|
=== In this section
|
|
|
|
|
2020-02-05 08:12:09 -05:00
|
|
|
* <<eql-requirements>>
|
2020-02-12 08:40:10 -05:00
|
|
|
* <<eql-search>>
|
2020-02-05 08:12:09 -05:00
|
|
|
* <<eql-syntax>>
|
2020-03-25 12:23:59 -04:00
|
|
|
* <<eql-function-ref>>
|
2020-06-30 09:12:54 -04:00
|
|
|
* <<eql-pipe-ref>>
|
2020-02-12 08:45:15 -05:00
|
|
|
* <<eql-limitations>>
|
2020-01-27 16:03:23 -05:00
|
|
|
|
|
|
|
include::requirements.asciidoc[]
|
2020-02-12 08:40:10 -05:00
|
|
|
include::search.asciidoc[]
|
2020-02-05 08:12:09 -05:00
|
|
|
include::syntax.asciidoc[]
|
2020-03-25 12:23:59 -04:00
|
|
|
include::functions.asciidoc[]
|
2020-06-30 09:12:54 -04:00
|
|
|
include::pipes.asciidoc[]
|
2020-02-12 08:45:15 -05:00
|
|
|
include::limitations.asciidoc[]
|