`eqllib` Command-Line Interface¶

The EQL Analytics Library comes with a utility that can search, normalize, and survey JSON data. See Getting Started for instructions on installing eqllib locally.

convert-data¶

eqllib convert-data [OPTIONS] <input-json-file> <output-json-file>

The convert-data command normalizes data, generating a new JSON file that matches the schema.

Arguments¶

output-json-file¶: Path to an output JSON file to store normalized events.

Options¶

-h¶: Show the help message and exit

--file, -f¶: Path to a JSON file of unnormalized events. Defaults to stdin if not specified

--format¶: Format for the input file. One of json, json.gz, jsonl, jsonl.gz

-s <data-source>, --source <data-source>¶: Required: the source schema for the events. (e.g. "Microsoft Sysmon")

-e <encoding>¶: Source file encoding. (e.g. ascii, utf8, utf16, etc.)

convert-query¶

eqllib convert-query [OPTIONS] <eql-query>

The convert-query command takes an EQL query that matches a normalized schema, and will print out the query converted to match a different schema.

Arguments¶

eql-query¶: Input EQL query written for the normalization schema

Options¶

-h¶: Show the help message and exit

-s <data-source>, --source <data-source>¶: Required: the source schema for the events. (e.g. "Microsoft Sysmon")

query¶

The query command reads JSON events and print matching output events back as JSON. Unless specified with -s, data is assumed to already be normalized against the schema.

eqllib query [OPTIONS] <input-query> <json-file>

Arguments¶

input-query¶: Query in EQL syntax that matches the common schema.

Options¶

-h¶: Show the help message and exit

--file, -f¶: Path to a JSON file of unnormalized events. Defaults to stdin if not specified

--format¶: Format for the input file. One of json, json.gz, jsonl, jsonl.gz

-s <data-source>, --source <data-source>¶: Required: the source schema for the events. (e.g. "Microsoft Sysmon")

-e <encoding>¶: Source file encoding. (e.g. ascii, utf8, utf16, etc.)

survey¶

eqllib survey [OPTIONS] <json-file> <analytic-path> [analytic-path, …]

The survey command can be used to run multiple analytics against a single JSON file. Unless specified with -s, data is assumed to already be normalized against the schema.

Arguments¶

analytic-path [analytic-path, ...]¶: Path(s) to analytic TOML files or a directory of analytics.

Options¶

-h¶: Show the help message and exit

--file, -f¶: Path to a JSON file of unnormalized events. Defaults to stdin if not specified

--format¶: Format for the input file. One of json, json.gz, jsonl, jsonl.gz

-s <data-source>, --source <data-source>¶: Required: the source schema for the events. (e.g. "Microsoft Sysmon")

-e <encoding>¶: Source file encoding. (e.g. ascii, utf8, utf16, etc.)

-c¶: Output counts per analytic instead of the individual hits.

View usage for the related EQL utility.

eqllib Command-Line Interface¶

convert-data¶

Arguments¶

Options¶

convert-query¶

Arguments¶

Options¶

query¶

Arguments¶

Options¶

survey¶

Arguments¶

Options¶

`eqllib` Command-Line Interface¶