Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Event Query Language (EQL) for Opensearch #2442

Open
saeed-mcu opened this issue Nov 10, 2023 · 4 comments
Open

Event Query Language (EQL) for Opensearch #2442

saeed-mcu opened this issue Nov 10, 2023 · 4 comments
Labels
enhancement New feature or request

Comments

@saeed-mcu
Copy link

Event Query Language (EQL) is a query language for event-based time series data, such as logs, metrics, and traces.
Is there any way , I can use EQL in opensearch for searching logs ?

Something like EQL search in ElasticSearch.
It is very useful for security analytics and Correlation rule.
@saeed-mcu saeed-mcu added enhancement New feature or request untriaged labels Nov 10, 2023
@msfroh
Copy link

msfroh commented Nov 16, 2023

Have you looked at PPL: https://opensearch.org/docs/latest/search-plugins/sql/ppl/syntax/ ?

@saeed-mcu
Copy link
Author

Hi @msfroh , thanks for your answer.
I've seen PPL before but that's not what I talked about.
In EQL, there are many functions and expressions that are very useful in attack detection and without them it is not possible

For example, the following EQL is meant to match a sequence of events that:

  • Share the same user.name field values
  • Occur within 15m (15 minutes) of the first matching event
sequence by user.name with maxspan=15m
  [ file where file.extension == "exe" ]
  [ process where true ]

@macohen
Copy link

macohen commented Nov 29, 2023

@anirudha any thoughts on this proposal?

@msfroh
Copy link

msfroh commented Nov 29, 2023

@opensearch-project/admin -- Can we please reassign this to the opensearch-project/sql repository? The requested capability sounds like something that should be supported by PPL. Thanks

@dblock dblock transferred this issue from opensearch-project/OpenSearch Nov 29, 2023
@dai-chen dai-chen removed the untriaged label Dec 4, 2023
@getsaurabh02 getsaurabh02 moved this from 🆕 New to Later (6 months plus) in Search Project Board Aug 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Search Project Board
Status: Later (6 months plus)
Milestone
No milestone
Development

No branches or pull requests
4 participants
@macohen @msfroh @saeed-mcu @dai-chen