This release includes the core EQL language, a schema mapping to Sysmon, and a set of analytics initially focused on Atomic Blue.
I think this language my coworkers created is a unique contender for use beyond the security world where defining how events correlate with other events in a given timespan has meaning. The read the docs documentation has information on the how and what: https://eql.readthedocs.io/en/latest/ anyway, have at it. :)
Thanks for sharing your creation with the world! I get sad a little whenever I see someone write a language interpreter/compiler in $NOT_HASKELL. Don’t get me wrong, I’m not implying your decision wasn’t the best one under the circumstances, I’m just curious whether you’ve considered doing that.
The grammar of the language is defined in EBNF / Tatsu in python https://github.com/endgameinc/eql/blob/900a25e7e8721292be61e11352efb5329d399b53/eql/etc/eql.ebnf and in spite of what has been released we’ve also implemented it in a couple other languages internally. Neither of them Haskell as we don’t use that at all internally, but I think we’ve talked about doing so in OCaml.
The language is relatively simple and even the extensions w/ functions etc don’t lock it to any particular PL stack, nor would they prevent you from compiling EQL statements into little programs “straight”. The heavy lifting around EQL has to do with making it compatible with data formats and schemas from other security tools, IE how do security events from windows/linux/mac compare, etc.
Ideally this query language will have other implementations. At its heart it’s just a way of ingesting events and selecting those that match patterns either within single events or in chains of interrelated events. None of that is wedded to python or anything else.