eqllib
Command-Line Interface¶
The EQL Analytics Library comes with a utility that can search, normalize, and survey JSON data.
See Getting Started for instructions on installing eqllib
locally.
convert-data¶
eqllib convert-data [OPTIONS] <input-json-file> <output-json-file>
The convert-data command normalizes data, generating a new JSON file that matches the schema.
Options¶
-
-h
¶
Show the help message and exit
-
--file
,
-f
¶
Path to a JSON file of unnormalized events. Defaults to stdin if not specified
-
--format
¶
Format for the input file. One of
json
,json.gz
,jsonl
,jsonl.gz
-
-s
<data-source>
,
--source
<data-source>
¶ Required: the source schema for the events. (e.g.
"Microsoft Sysmon"
)
-
-e
<encoding>
¶ Source file encoding. (e.g.
ascii
,utf8
,utf16
, etc.)
convert-query¶
eqllib convert-query [OPTIONS] <eql-query>
The convert-query command takes an EQL query that matches a normalized schema, and will print out the query converted to match a different schema.
query¶
The query command reads JSON events and print matching output events back as JSON.
Unless specified with -s
, data is assumed to already be normalized against the schema.
eqllib query [OPTIONS] <input-query> <json-file>
Options¶
-
-h
¶
Show the help message and exit
-
--file
,
-f
¶
Path to a JSON file of unnormalized events. Defaults to stdin if not specified
-
--format
¶
Format for the input file. One of
json
,json.gz
,jsonl
,jsonl.gz
-
-s
<data-source>
,
--source
<data-source>
¶ Required: the source schema for the events. (e.g.
"Microsoft Sysmon"
)
-
-e
<encoding>
¶ Source file encoding. (e.g.
ascii
,utf8
,utf16
, etc.)
survey¶
eqllib survey [OPTIONS] <json-file> <analytic-path> [analytic-path, …]
The survey command can be used to run multiple analytics against a single JSON file.
Unless specified with -s
, data is assumed to already be normalized against the schema.
Arguments¶
-
analytic-path
[analytic-path
,
...]
¶
Path(s) to analytic TOML files or a directory of analytics.
Options¶
-
-h
¶
Show the help message and exit
-
--file
,
-f
¶
Path to a JSON file of unnormalized events. Defaults to stdin if not specified
-
--format
¶
Format for the input file. One of
json
,json.gz
,jsonl
,jsonl.gz
-
-s
<data-source>
,
--source
<data-source>
¶ Required: the source schema for the events. (e.g.
"Microsoft Sysmon"
)
-
-e
<encoding>
¶ Source file encoding. (e.g.
ascii
,utf8
,utf16
, etc.)
-
-c
¶
Output counts per analytic instead of the individual hits.
View usage for the related EQL utility.