EQL Analytics Library

eqllib is a library of event based analytics, written in EQL to detect adversary behaviors identified in MITRE ATT&CK®.

Note

Endgame has joined forces with Elastic, and EQL is now in the Detection Engine of Kibana! To find the latest rules written in EQL, KQL or Lucene for the Elastic Stack, please visit elastic/detection-rules on GitHub.

Next Steps

• Get started with EQL on your own computer
• Explore the analytics that map to ATT&CK.
• Learn how to write queries in EQL syntax
• Browse our schemas and existing normalizations
• View additional resources
• Check the license status

Contents

• Getting Started
  • eqllib Command-Line Interface
  • Guide to Microsoft Sysmon
• Analytics
• Atomic Blue Detections
• Enterprise ATT&CK Matrix
• Schemas
  • Security Events
• Resources
  • Blogs
  • Presentations
  • Additional Resources
• License