Comments (3)
hey @CptOfEvilMinions I think we've talked about this indirectly in other places but I haven't responded here. With EQL a .
indicates a nested field, but I think with the bro logs the native fields were named "ip.orig_h" and "id.resp_h", which caused the problems.
This is an interesting scenario, because we currently require all field names to match a-zA-Z][a-zA-Z0-9_]*
https://github.com/endgameinc/eql/blob/aa55970fd57996aed7519a8eda94c3fe472d15c2/eql/etc/eql.ebnf#L231
Since .
already means something in EQL, there are a few ways we could do this:
- One option is to escape all characters that don't match that regex.
id\.orig_h
. - Another option is to use the string syntax and do something like this
["id.orig_h"]
.
Then your EQL queries would look like one of these
network where id\.orig_h == "192.168.1.1"
network where ["id.orig_h"] == "192.168.1.1"
network where .["id.orig_h"] == "192.168.1.1"
Also since your blog, it should be a lot easier to make your own schema, and EQL will autodetect it from your JSON file if you use the new interactive shell
Any preferences for the syntax?
from eqllib.
from eqllib.
Resolved by endgameinc/eql#19
from eqllib.
Related Issues (12)
- Docs: Command line options changed vs. documentation HOT 1
- Docs: All examples use double quotes, break query HOT 2
- Can we use multiple Json files
- Add DNS Event Support HOT 2
- Add original_file_name field for process events HOT 1
- No sources available for convert-data HOT 1
- TypeError: run_query() got an unexpected keyword argument 'columns'
- eqllib/docs/guides/index.rst says eqllib supports python2.7 which is no longer true HOT 1
- Normalization functions not removed by convert-query
- T1174 Password Filter DLL
- Normalization fails for optimizing unique_count pipe
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from eqllib.