See https://eql.readthedocs.io for documentation
The EQL module current supports Python 2.7 and 3.5+. Assuming a supported Python version is installed, run the command:
$ pip install eqlIf Python is configured and already in the PATH, then eql will be readily available, and can be checked by running the command:
$ eql --version
eql 0.6.0From there, try a sample json file and test it with EQL.
$ eql query -f example.json "process where process_name == 'explorer.exe'"
{"command_line": "C:\\Windows\\Explorer.EXE", "event_subtype_full": "already_running", "event_type_full": "process_event", "md5": "ac4c51eb24aa95b77f705ab159189e24", "opcode": 3, "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "serial_event_id": 34, "timestamp": 131485997150000000, "unique_pid": 34, "unique_ppid": 0, "user_domain": "research", "user_name": "researcher"}- Check out the query guide for a crash course on writing EQL queries
- View usage for the cli
- Explore the api for advanced usage or incorporating EQL into other projects
- Browse a library of EQL analytics