mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-03-30 11:58:36 +00:00
Adds a concise list of EQL advantages, based on the "EQL Advantages" section in the [EQL for the masses][0] blog post. The intent is to inform users how EQL could benefit at a high level. [0]: https://www.elastic.co/blog/eql-for-the-masses Co-Authored-By: Ross Wolf <31489089+rw-access@users.noreply.github.com>
This commit is contained in:
James Rodewig
GitHub
parent
d8f9df771d
commit
61cf646f17
@ -15,6 +15,23 @@ You can use EQL in {es} to easily express relationships between events and
|
|||||||
quickly match events with shared properties. You can use EQL and query
|
quickly match events with shared properties. You can use EQL and query
|
||||||
DSL together to better filter your searches.
|
DSL together to better filter your searches.
|
||||||
|
|
||||||
|
[float]
|
||||||
|
[[eql-advantages]]
|
||||||
|
=== Advantages of EQL
|
||||||
|
|
||||||
|
* *EQL lets you express relationships between events.* +
|
||||||
|
Many query languages allow you to match only single events. EQL lets you match a
|
||||||
|
sequence of events across different event categories and time spans.
|
||||||
|
|
||||||
|
* *EQL has a low learning curve.* +
|
||||||
|
EQL syntax looks like other query languages. It lets you write and read queries
|
||||||
|
intuitively, which makes for quick, iterative searching.
|
||||||
|
|
||||||
|
* *We designed EQL for security use cases.* +
|
||||||
|
While you can use EQL for any event-based data, we created EQL for threat
|
||||||
|
hunting. EQL not only supports indicator of compromise (IOC) searching but
|
||||||
|
makes it easy to describe activity that goes beyond IOCs.
|
||||||
|
|
||||||
[float]
|
[float]
|
||||||
[[when-to-use-eql]]
|
[[when-to-use-eql]]
|
||||||
=== When to use EQL
|
=== When to use EQL
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user