Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Supporting EQL in Elasticsearch #49581

Closed
20 of 26 tasks
colings86 opened this issue Nov 26, 2019 · 3 comments
Closed
20 of 26 tasks

Supporting EQL in Elasticsearch #49581

colings86 opened this issue Nov 26, 2019 · 3 comments
Assignees
Labels
:Analytics/EQL EQL querying Dependency:SIEM Meta Team:QL (Deprecated) Meta label for query languages team

Comments

@colings86
Copy link
Contributor

colings86 commented Nov 26, 2019

This is a meta issue to track progress of adding EQL support to Elasticsearch. EQL will be supported via a new Elastic licensed plugin which will provide execution of EQL rules.

The language reference for EQL can be found here

Scope of first iteration

Language features

In Scope

Out of Scope

  • Lineage, i.e.:
    • Descendant of
    • Child of
    • Event of
  • Array functions
    • arrayContains
    • arraySearch
    • arrayCount
  • fork in sequences

Things to consider during the design and implementation

  • EQL is a language that’s already used in the wild. Any changes we make to the language or the way EQL rules are written will have implications on the existing users and migration of users to future versions so these should be very carefully considered
  • A separate implementation of EQL will still exist that queries the endpoint devices directly. This means that we should avoid differences between writing EQL for Elasticsearch and EQL to run on the endpoints as any differences would have the potential to confuse users
  • We see EQL being useful in many use cases. The Elasticsearch implementation need to be able to be used on generic data not just Endpoint data. EQL should default to expecting data in ECS format, but should have the ability to be overridden so it can be used on other schemas as well

High level tasks

Each task here has its own issue and some bigger tasks might have their own meta issue:

@colings86 colings86 self-assigned this Nov 26, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-search (:Search/EQL)

@alexbrasetvik
Copy link
Contributor

It seems that some of the infrastructure required for this (notably the multiple search request executor and limited join-handling) could also eventually help support SQL WITH-queries (common table expressions) in some distant future :)

imotov added a commit to imotov/elasticsearch that referenced this issue Jan 7, 2020
Adds a protocol support for async mode. The actual implementation
will added when more details of query handling are clear.

Relates to elastic#49581
imotov added a commit to imotov/elasticsearch that referenced this issue Jan 9, 2020
Refactors EqlSearchResponse to make it immutable

Relates to elastic#49581
imotov added a commit that referenced this issue Jan 9, 2020
Refactors EqlSearchResponse to make it immutable

Relates to #49581
imotov added a commit to imotov/elasticsearch that referenced this issue Jan 10, 2020
Removes unnecessary classes from EqlSearchResponse that just represent
lists of other elements.

Relates to elastic#49581
imotov added a commit that referenced this issue Jan 13, 2020
Removes unnecessary classes from EqlSearchResponse that just represent
lists of other elements.

Relates to #49581
imotov added a commit to imotov/elasticsearch that referenced this issue Jan 13, 2020
Replaces the existing hand-build Hits parser with a
ConstructingObjectParser version.

Relates to elastic#49581
imotov added a commit that referenced this issue Jan 13, 2020
Replaces the existing hand-build Hits parser with a
ConstructingObjectParser version.

Relates to #49581
aleksmaus pushed a commit to aleksmaus/elasticsearch that referenced this issue Jan 27, 2020
Refactors EqlSearchResponse to make it immutable

Relates to elastic#49581
aleksmaus pushed a commit to aleksmaus/elasticsearch that referenced this issue Jan 27, 2020
Removes unnecessary classes from EqlSearchResponse that just represent
lists of other elements.

Relates to elastic#49581
aleksmaus pushed a commit to aleksmaus/elasticsearch that referenced this issue Jan 27, 2020
…#50925)

Replaces the existing hand-build Hits parser with a
ConstructingObjectParser version.

Relates to elastic#49581
aleksmaus added a commit to aleksmaus/elasticsearch that referenced this issue Jan 27, 2020
aleksmaus added a commit to aleksmaus/elasticsearch that referenced this issue Feb 12, 2020
…iginal implementation

The tests use the original test queries from
https://github.com/endgameinc/eql/blob/master/eql/etc/test_queries.toml
for EQL implementation correctness validation.
The file test_queries_unsupported.toml serves as a "blacklist" for the
queries that we do not support. Currently all of the queries are
blacklisted. Over the time the expectation is to eventually have an
empty "blacklist" when all of the queries are fully supported.

The tests use the original test vector from
https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_data.json
that was translated to ECS format that matches the latest mapping being
used for Endgame platform event streaming and is loaded from endgame.dat
file. The endgame.json file contains the matching index
mappings/setting.

Only one EQL and the response is stubbed for now to match the expected
output from that query. This part would need some tweaking after EQL is
fully wired.

The input .toml file is parsed by hand for now, which is sufficient for
our purposes and avoids introducing another dependency just for this
particular test case.

Related to elastic#49581
aleksmaus added a commit that referenced this issue Feb 22, 2020
…iginal implementation (#52248)

The tests use the original test queries from
https://github.com/endgameinc/eql/blob/master/eql/etc/test_queries.toml
for EQL implementation correctness validation.
The file test_queries_unsupported.toml serves as a "blacklist" for the
queries that we do not support. Currently all of the queries are
blacklisted. Over the time the expectation is to eventually have an
empty "blacklist" when all of the queries are fully supported.

The tests use the original test vector from
https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_data.json.

Only one EQL and the response is stubbed for now to match the expected
output from that query. This part would need some tweaking after EQL is
fully wired.

Related to #49581
aleksmaus added a commit to aleksmaus/elasticsearch that referenced this issue Feb 22, 2020
…iginal implementation (elastic#52248)

The tests use the original test queries from
https://github.com/endgameinc/eql/blob/master/eql/etc/test_queries.toml
for EQL implementation correctness validation.
The file test_queries_unsupported.toml serves as a "blacklist" for the
queries that we do not support. Currently all of the queries are
blacklisted. Over the time the expectation is to eventually have an
empty "blacklist" when all of the queries are fully supported.

The tests use the original test vector from
https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_data.json.

Only one EQL and the response is stubbed for now to match the expected
output from that query. This part would need some tweaking after EQL is
fully wired.

Related to elastic#49581
aleksmaus added a commit that referenced this issue Feb 24, 2020
…iginal implementation (#52248) (#52675)

The tests use the original test queries from
https://github.com/endgameinc/eql/blob/master/eql/etc/test_queries.toml
for EQL implementation correctness validation.
The file test_queries_unsupported.toml serves as a "blacklist" for the
queries that we do not support. Currently all of the queries are
blacklisted. Over the time the expectation is to eventually have an
empty "blacklist" when all of the queries are fully supported.

The tests use the original test vector from
https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_data.json.

Only one EQL and the response is stubbed for now to match the expected
output from that query. This part would need some tweaking after EQL is
fully wired.

Related to #49581
@rjernst rjernst added the Team:QL (Deprecated) Meta label for query languages team label May 4, 2020
@jrodewig jrodewig removed their assignment Jul 17, 2020
@costin
Copy link
Member

costin commented Oct 28, 2020

Replacing this long standing issue with the remaining tasks for 7.11 at #64273

@costin costin closed this as completed Oct 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
:Analytics/EQL EQL querying Dependency:SIEM Meta Team:QL (Deprecated) Meta label for query languages team
Projects
None yet
Development

No branches or pull requests