Browse a library of EQL analytics
The EQL module current supports Python 2.7 and 3.5+. Assuming a supported Python version is installed, run the command:
$ pip install eql
If Python is configured and already in the PATH, then eql
will be readily available, and can be checked by running the command:
$ eql --version
eql 0.8
From there, try a sample json file and test it with EQL.
$ eql query -f example.json "process where process_name == 'explorer.exe'"
{"command_line": "C:\\Windows\\Explorer.EXE", "event_type": "process", "md5": "ac4c51eb24aa95b77f705ab159189e24", "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "subtype": "create", "timestamp": 131485997150000000, "user": "research\\researcher", "user_domain": "research", "user_name": "researcher"}
- Browse a library of EQL analytics
- Check out the query guide for a crash course on writing EQL queries
- View usage for interactive shell
- Explore the API for advanced usage or incorporating EQL into other projects