Event Query Language (EQL) for Opensearch

opensearch-project / sql

Query your data using familiar SQL or intuitive Piped Processing Language (PPL)

https://opensearch.org/docs/latest/search-plugins/sql/index/

Apache License 2.0

110 stars 129 forks source link

Event Query Language (EQL) for Opensearch #2442

Open saeed-mcu opened 7 months ago

saeed-mcu commented 7 months ago

Event Query Language (EQL) is a query language for event-based time series data, such as logs, metrics, and traces. Is there any way , I can use EQL in opensearch for searching logs ?

Something like EQL search in ElasticSearch. It is very useful for security analytics and Correlation rule.

msfroh commented 7 months ago

Have you looked at PPL: https://opensearch.org/docs/latest/search-plugins/sql/ppl/syntax/ ?

saeed-mcu commented 7 months ago

Hi @msfroh , thanks for your answer. I've seen PPL before but that's not what I talked about. In EQL, there are many functions and expressions that are very useful in attack detection and without them it is not possible

For example, the following EQL is meant to match a sequence of events that:

Share the same user.name field values

Occur within 15m (15 minutes) of the first matching event

sequence by user.name with maxspan=15m
[ file where file.extension == "exe" ]
[ process where true ]

macohen commented 7 months ago

@anirudha any thoughts on this proposal?

msfroh commented 7 months ago

@opensearch-project/admin -- Can we please reassign this to the opensearch-project/sql repository? The requested capability sounds like something that should be supported by PPL. Thanks