Welcome to the Event Query Language (EQL) Analytics Library contribution guide and thank you for expressing an interest in contributing to EQL!
As a quick refresher, the Event Query Language (EQL) was built by Endgame to express relationships between events. The language contains all the conditional matching you need, is data source and platform agnostic, includes the ability to ask stateful questions, and enables the hunter by including data pipes to sift and stack data. If you have structured data, you can start asking questions now.
The EQL community consists of two main components
- The core language and evaluation engine
- Analytics Library as a community for analytics and hunting strategies.
Contributions to extend core capabilities of the language are directed to eql. For new detections, hunts, data sources, or knowledge sharing please read the guidelines below before contributing.
We are all in this together and hope you join us in expanding behavior based analytics, sharing data models, and more.
Contributing to the analytics library is a simple process facilitated by Git:
- Create an issue to track and discuss the work
- Create a branch
- Submit a pull request
- Update according to the code review
- Merge after approval.
- If you are accustomed to git, then great! If you aren't, don't fear, the command line tools are easy to use, but GitHub also has a straightforward process within your web browser to create branches and subsequent merging
- Use the Issues and PR templates! Git Issues are a great place to collaborate, discuss, or just track a request before development begins.
- There is plenty of literature and resources out there to help you. A great place to start is GitHub guides.
With EQL, we can write analytics for hunts, detections, and even enrichments. When writing a rule, be certain to think about the suspicious behavior rather than a single indicator. Here are some questions to help:
- How much noise will this most likely match?
- Does it make more sense as an enrichment or high fidelity detection? Or does it use stacking that is relevant for hunting?
- How precise are the ATT&CK mappings? For instance, if tagged with Privilege Escalation, does the query specifically have logic to look for jumps in integrity levels or privileges?
- Do you want a docs/templates/links.rst for your contributor handle?
- Was the UUID autogenerated? Copy and pasted UUIDs often cause confusion when large parts look the same, so completely random UUIDs has the best chance of minimizing confusion.
The Event Query Language isn't inherently bound to specific schemas, but within our Analytics Library, we're currently more focused on security analytics. If there is a data source that you find useful and you would like to add it to the EQL framework, create an issue or pull request!
See the resources page on ReadTheDocs for a full list of resources.
The EQL Analytics Library is licensed under the MIT License