EQL Analytics Library

eqllib is a library of event based analytics, written in EQL to detect adversary behaviors identified in MITRE ATT&CK™.

Next Steps

• Get started with EQL on your own computer
• Explore the analytics that map to ATT&CK.
• Learn how to write queries in EQL syntax
• Browse our schemas and existing normalizations
• View additional resources
• Check the license status

Contents

• Getting Started
  • eqllib Command-Line Interface
  • Guide to Microsoft Sysmon
• Analytics
• Atomic Blue Detections
• Enterprise ATT&CK Matrix
• Schemas
  • Security Events
• Resources
  • Blogs
  • Presentations
  • Additional Resources
• License