EQL for event-based searchedit

This functionality is in development and may be changed or removed completely in a future release. These features are unsupported and not subject to the support SLA of official GA features.

Event Query Language (EQL) is a query language used for logs and other event-based data.

You can use EQL in Elasticsearch to easily express relationships between events and quickly match events with shared properties. You can use EQL and query DSL together to better filter your searches.

Advantages of EQLedit

  • EQL lets you express relationships between events.
    Many query languages allow you to match only single events. EQL lets you match a sequence of events across different event categories and time spans.
  • EQL has a low learning curve.
    EQL syntax looks like other query languages. It lets you write and read queries intuitively, which makes for quick, iterative searching.
  • We designed EQL for security use cases.
    While you can use EQL for any event-based data, we created EQL for threat hunting. EQL not only supports indicator of compromise (IOC) searching but makes it easy to describe activity that goes beyond IOCs.

When to use EQLedit

Consider using EQL if you:

  • Use Elasticsearch for threat hunting or other security use cases
  • Search time-series data or logs, such as network or system logs
  • Want an easy way to explore relationships between events

In this sectionedit