// // QueryTranslation tests // // A test is made up of a name (one line), a query that can span multiple lines and ends with ; and one or multiple assertions (one per line) that end with ; // // // ; // // // ... // // ; // // Notes: // - The EQL query could span multiple lines and should be terminated with semicolon (;) // - The currently supported matchers: `CONTAINS` (the default one), `REGEX` // - To ignore a test, add the -Ignore to the end of the name // - Matchers can be skipped, if you just want to test that a query is optimized/plan without errors // - Do not use whitespaces in the relevant parts of the query itself, as they will be removed. // For example 'process where process_name : "System Idle Process"' // The whitespaces between System Idle Process will be removed and the assertion will fail. basic process where true ; ; singleNumericFilterEquals process where serial_event_id == 1 ; contains "term":{"serial_event_id":{"value":1} ; singleNumericFilterLess process where serial_event_id < 4 ; "range":{"serial_event_id":{"lt":4 ; singleNumericFilterLessEquals process where serial_event_id <= 4 ; "range":{"serial_event_id":{"lte":4 ; singleNumericFilterGreater process where serial_event_id > 4 ; "range":{"serial_event_id":{"gt":4 ; singleNumericFilterGreaterEquals process where serial_event_id >= 4 ; "range":{"serial_event_id":{"gte":4 ; caseInsensitiveEquals process where process_name : "test" ; "term":{"process_name":{"value":"test","case_insensitive":true} ; caseInsensitiveEqualsWithPattern process where process_name : "test*" ; "wildcard":{"process_name":{"wildcard":"test*","case_insensitive":true,"boost":1.0} ; caseInsensitiveEqualsListSingleValue process where process_name : ("test") ; "term":{"process_name":{"value":"test","case_insensitive":true} ; caseInsensitiveEqualsList process where process_name : ("test", "best") ; {"bool":{"should":[{"term" "term":{"process_name":{"value":"test","case_insensitive":true} "term":{"process_name":{"value":"best","case_insensitive":true} ; caseInsensitiveEqualsListWildcard process where process_name : ("test*", "best") ; {"bool":{"should":[{"wildcard" "wildcard":{"process_name":{"wildcard":"test*","case_insensitive":true,"boost":1.0} "term":{"process_name":{"value":"best","case_insensitive":true} ; mixedTypeFilter process where process_name : "notepad.exe" or (serial_event_id < 4.5 and serial_event_id >= 3.1) ; "term":{"process_name":{"value":"notepad.exe","case_insensitive":true} {"bool":{"must":[{"range":{"serial_event_id":{"lt":4.5 {"range":{"serial_event_id":{"gte":3.1 ; notFilter process where not (exit_code > -1) ; {"bool":{"must_not":[{"range":{"exit_code":{"gt":-1 ; notFieldsConjunction process where not (exit_code > 1 and user_name == "root") ; {"bool":{"must_not":[{"bool":{"must":[{"range":{"exit_code":{"gt":1 {"term":{"user_name":{"value":"root" ; notOneFieldConjunctionNotSecondField process where not (exit_code > 1) and not (user_name == "root") ; {"bool":{"must":[{"bool":{"must_not":[{"range":{"exit_code":{"gt":1 {"bool":{"must_not":[{"term":{"user_name":{"value":"root" ; inFilter process where process_name in ("python.exe", "SMSS.exe", "explorer.exe") ; "terms":{"process_name":["python.exe","SMSS.exe","explorer.exe"], ; inFilterWithScripting process where substring(command_line, 5) in ("test*","best") ; {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.in(InternalEqlScriptUtils.substring(X0,params.v1,params.v2),params.v3)))" "params":{"v0":"command_line","v1":5,"v2":null,"v3":["test*","best"]}} ; negatedInFilterWithScripting process where substring(command_line, 5) not in ("test*","best") ; {"script":{"script":{"source":"InternalQlScriptUtils.not(InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.in(InternalEqlScriptUtils.substring(X0,params.v1,params.v2),params.v3))))" "params":{"v0":"command_line","v1":5,"v2":null,"v3":["test*","best"]}} ; equalsAndInFilter process where process_path : "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3) ; "wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*","case_insensitive":true,"boost":1.0}}}, {"terms":{"opcode":[0,1,2,3],"boost":1.0}} ; inFilterInsensitive process where process_name in~ ("test") ; "term":{"process_name":{"value":"test","case_insensitive":true} ; inFilterInsensitiveList process where process_name in~ ("test", "best") ; {"bool":{"should":[{"term" "term":{"process_name":{"value":"test","case_insensitive":true} "term":{"process_name":{"value":"best","case_insensitive":true} ; inFilterInsensitiveVerbatimMatch process where process_name in~ ("test*", "best") ; {"bool":{"should":[{"term" "term":{"process_name":{"value":"test*","case_insensitive":true} "term":{"process_name":{"value":"best","case_insensitive":true} ; inFilterInsensitiveWithScripting process where substring(command_line, 5) in~ ("test*", "best") ; {"bool":{"should":[{"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(InternalEqlScriptUtils.substring(X0,params.v1,params.v2),params.v3)))" "params":{"v0":"command_line","v1":5,"v2":null,"v3":"test*"}} {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(InternalEqlScriptUtils.substring(X0,params.v1,params.v2),params.v3)))" "params":{"v0":"command_line","v1":5,"v2":null,"v3":"best"}} ; functionEqualsTrue process where cidrMatch(source_address, "10.0.0.0/8") == true ; {"bool":{"must":[{"term":{"event.category":{"value":"process"} {"terms":{"source_address":["10.0.0.0/8"] ; functionEqualsFalse process where cidrMatch(source_address, "10.0.0.0/8") == false ; {"bool":{"must":[{"term":{"event.category":{"value":"process"} {"bool":{"must_not":[{"terms":{"source_address":["10.0.0.0/8"] ; functionNotEqualsTrue process where cidrMatch(source_address, "10.0.0.0/8") != true ; {"bool":{"must":[{"term":{"event.category":{"value":"process"} {"bool":{"must_not":[{"terms":{"source_address":["10.0.0.0/8"] ; functionNotEqualsFalse process where cidrMatch(source_address, "10.0.0.0/8") != false ; {"bool":{"must":[{"term":{"event.category":{"value":"process"} {"terms":{"source_address":["10.0.0.0/8"] ; twoFunctionsEqualsBooleanLiterals-caseSensitive process where endsWith(process_path, "x") == true and endsWith(process_path, "yx") != true ; {"bool":{"must":[{"wildcard":{"process_path":{"wildcard":"*x","boost":1.0}}}, {"bool":{"must_not":[{"wildcard":{"process_path":{"wildcard":"*yx","boost":1.0}}}],"boost":1.0}} ; twoFunctionsEqualsBooleanLiterals-insensitive process where endsWith~(process_path, "x") == true and endsWith~(process_path, "yx") != true ; {"bool":{"must":[{"wildcard":{"process_path":{"wildcard":"*x","case_insensitive":true,"boost":1.0}}}, {"bool":{"must_not":[{"wildcard":{"process_path":{"wildcard":"*yx","case_insensitive":true,"boost":1.0}}}],"boost":1.0}} ; endsWithKeywordFieldFunction-caseSensitive process where endsWith(user_name, "c") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"}}}, {"wildcard":{"user_name":{"wildcard":"*c","boost":1.0}}}],"boost":1.0}} ; endsWithWildcardSubFieldFunction-caseSensitive process where endsWith(hostname, "c") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"}}}, {"wildcard":{"hostname.keyword":{"wildcard":"*c","boost":1.0}}}],"boost":1.0}} ; endsWithFunction-insensitive process where endsWith~(user_name, "c") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"}}}, {"wildcard":{"user_name":{"wildcard":"*c","case_insensitive":true,"boost":1.0}}}],"boost":1.0}} ; fieldNoEquals process where bool ; {"bool":{"must":[ {"term":{"bool":{"value":true ; fieldNoEqualsInExpression process where length(file_name) > 0 and bool ; {"bool":{"must":[ {"term":{"bool":{"value":true ; fieldEqualsTrue process where bool == true ; {"bool":{"must":[ {"term":{"bool":{"value":true ; fieldEqualsFalse process where bool == false ; {"bool":{"must":[ {"term":{"bool":{"value":false ; fieldNotEqualsTrue process where bool != true ; {"bool":{"must_not":[ {"term":{"bool":{"value":true ; fieldNotEqualsFalse process where bool != false ; {"bool":{"must_not":[ {"term":{"bool":{"value":false ; lengthFunctionWithExactSubField process where length(file_name) > 0 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.gt(InternalEqlScriptUtils.length(X0),params.v1)))", "params":{"v0":"file_name.keyword","v1":0} ; lengthFunctionWithExactField process where 12 == length(user_name) ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalEqlScriptUtils.length(X0),params.v1)))", "params":{"v0":"user_name","v1":12} ; lengthFunctionWithConstantKeyword process where 5 > length(constant_keyword) ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.lt(InternalEqlScriptUtils.length(X0),params.v1)))", "params":{"v0":"constant_keyword","v1":5} ; startsWithFunction-insensitive process where startswith~(user_name, "A") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"}}}, {"prefix":{"user_name":{"value":"A","case_insensitive":true,"boost":1.0}}}],"boost":1.0}} ; startsWithFunctionSimple-caseSensitive process where startsWith(user_name, "A") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"}}}, {"prefix":{"user_name":{"value":"A","boost":1.0}}}],"boost":1.0}} ; startsWithFunctionWithCondition-caseSensitive process where startsWith(user_name, "A") or startsWith(user_name, "B") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"}}}, {"bool":{"should":[{"prefix":{"user_name":{"value":"A","boost":1.0}}}, {"prefix":{"user_name":{"value":"B","boost":1.0}}}],"boost":1.0}}],"boost":1.0}} ; startsWithFunctionWithCondition-insensitive process where startswith~(user_name, "A") or startswith~(user_name, "B") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"}}}, {"bool":{"should":[{"prefix":{"user_name":{"value":"A","case_insensitive":true,"boost":1.0}}}, {"prefix":{"user_name":{"value":"B","case_insensitive":true,"boost":1.0}}}],"boost":1.0}}],"boost":1.0}} ; stringContainsExactField-caseSensitive process where stringContains(process_name, "foo") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"}}}, {"wildcard":{"process_name":{"wildcard":"*foo*","boost":1.0}}}],"boost":1.0}} ; stringContainsExactField-insensitive process where stringContains~(process_name, "foo") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"}}}, {"wildcard":{"process_name":{"wildcard":"*foo*","case_insensitive":true,"boost":1.0}}}],"boost":1.0}} ; stringContainsExactSubField-caseSensitive process where stringContains(hostname, "foo") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"}}}, {"wildcard":{"hostname.keyword":{"wildcard":"*foo*","boost":1.0}}}],"boost":1.0}} ; stringContains-insensitive process where stringContains~(process_name, "foo") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"}}}, {"wildcard":{"process_name":{"wildcard":"*foo*","case_insensitive":true,"boost":1.0}}}],"boost":1.0}} ; stringContains-caseSensitive process where stringContains(process_name, "foo") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"}}}, {"wildcard":{"process_name":{"wildcard":"*foo*","boost":1.0}}}],"boost":1.0}} ; stringFunction process where string(pid) : "123" ; {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(InternalEqlScriptUtils.string(X0),params.v1)))" "params":{"v0":"pid","v1":"123"}} ; indexOfFunction-caseSensitive process where indexOf(user_name, "A", 2) > 0 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.gt( InternalEqlScriptUtils.indexOf(X0,params.v1,params.v2,params.v3),params.v4)))", "params":{"v0":"user_name","v1":"A","v2":2,"v3":false,"v4":0} ; indexOfFunction-insensitive process where indexOf~(user_name, "A", 2) > 0 ; script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.gt( InternalEqlScriptUtils.indexOf(X0,params.v1,params.v2,params.v3),params.v4)))", "params":{"v0":"user_name","v1":"A","v2":2,"v3":true,"v4":0} ; substringFunction process where substring(file_name, -4) : ".exe" ; "script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(InternalEqlScriptUtils.substring(X0,params.v1,params.v2),params.v3)))" "params":{"v0":"file_name.keyword","v1":-4,"v2":null,"v3":".exe"}} ; betweenFunction process where between(process_name, "s", "e") : "yst" ; {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(InternalEqlScriptUtils.between(X0,params.v1,params.v2,params.v3,params.v4),params.v5)))" "params":{"v0":"process_name","v1":"s","v2":"e","v3":false,"v4":false,"v5":"yst"}} ; betweenFunction-insensitive process where between~(process_name, "s", "e") : "yst" ; {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(InternalEqlScriptUtils.between(X0,params.v1,params.v2,params.v3,params.v4),params.v5)))" "params":{"v0":"process_name","v1":"s","v2":"e","v3":false,"v4":true,"v5":"yst"}} ; concatFunction process where concat(process_name, "::foo::", null, 1) : "net.exe::foo::1" ; "script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(InternalEqlScriptUtils.concat([X0,params.v1,params.v2,params.v3]),params.v4)))" "params":{"v0":"process_name","v1":"::foo::","v2":null,"v3":1,"v4":"net.exe::foo::1"}} ; cidrMatchFunctionOne process where cidrMatch(source_address, "10.0.0.0/8") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"} {"terms":{"source_address":["10.0.0.0/8"] ; cidrMatchFunctionOneBool process where cidrMatch(source_address, "10.0.0.0/8") == true ; {"bool":{"must":[{"term":{"event.category":{"value":"process"} {"terms":{"source_address":["10.0.0.0/8"] ; cidrMatchFunctionTwo process where cidrMatch(source_address, "10.0.0.0/8", "192.168.0.0/16") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"} {"terms":{"source_address":["10.0.0.0/8","192.168.0.0/16"] ; cidrMatchFunctionTwoWithOr process where cidrMatch(source_address, "10.0.0.0/8") or cidrMatch(source_address, "192.168.0.0/16") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"} {"bool":{"should":[{"terms":{"source_address":["10.0.0.0/8"],"boost":1.0}},{"terms":{"source_address":["192.168.0.0/16"],"boost":1.0}} ; cidrMatchFunctionThree process where cidrMatch(source_address, "10.0.0.0/8", "192.168.0.0/16", "2001:db8::/32") ; {"bool":{"must":[{"term":{"event.category":{"value":"process"} {"terms":{"source_address":["10.0.0.0/8","192.168.0.0/16","2001:db8::/32"] ; cidrMatchFunctionWrapped process where string(cidrMatch(source_address, "10.6.48.157/8")) : "true" ; {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(InternalEqlScriptUtils.string(InternalEqlScriptUtils.cidrMatch(X0,params.v1)),params.v2)))" "params":{"v0":"source_address","v1":["10.6.48.157/8"],"v2":"true"}} ; numberFunctionSingleArgument process where number(process_name) == 1 ; {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalEqlScriptUtils.number(X0,params.v1),params.v2)))" "params":{"v0":"process_name","v1":null,"v2":1}} ; numberFunctionTwoFieldArguments process where number(process_name, pid) != null ; {"script":{"script":{"source":"InternalQlScriptUtils.not(InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalEqlScriptUtils.multiValueDocValues(doc,params.v1,X1->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.isNull(InternalEqlScriptUtils.number(X0,X1))))))" "params":{"v0":"process_name","v1":"pid"}} ; numberFunctionTwoArguments process where number(process_name, 16) != null ; {"script":{"script":{"source":"InternalQlScriptUtils.not(InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.isNull(InternalEqlScriptUtils.number(X0,params.v1)))))" "params":{"v0":"process_name","v1":16}} ; numberFunctionFoldedComparison process where serial_event_id == number("-32.5") ; {"term":{"serial_event_id":{"value":-32.5} ; numberFunctionFoldedHexComparison process where serial_event_id == number("0x32", 16) ; {"term":{"serial_event_id":{"value":50} ; addOperator process where serial_event_id + 2 == -2147483647 ; script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.add(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":-2147483647} ; addOperatorReversed process where 2 + serial_event_id == -2147483647 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.add(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":-2147483647} ; addFunction process where add(serial_event_id, 2) == -2147483647 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.add(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":-2147483647} ; addFunctionReversed process where add(2, serial_event_id) == -2147483647 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.add(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":-2147483647} ; divideOperator process where serial_event_id / 2 == 41 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.div(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":41} ; divideOperatorReversed process where 82 / serial_event_id == 41 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.div(params.v1,X0),params.v2)))", "params":{"v0":"serial_event_id","v1":82,"v2":41} ; divideFunction process where divide(serial_event_id, 2) == 41 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.div(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":41} ; divideFunctionReversed process where divide(82, serial_event_id) == 41 ; {"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.div(params.v1,X0),params.v2)))", "params":{"v0":"serial_event_id","v1":82,"v2":41} ; moduloOperator process where serial_event_id % 2 == 41 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.mod(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":41} ; moduloOperatorReversed process where 42 % serial_event_id == 41 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.mod(params.v1,X0),params.v2)))", "params":{"v0":"serial_event_id","v1":42,"v2":41} ; moduloFunction process where modulo(serial_event_id, 2) == 41 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.mod(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":41} ; moduloFunctionReversed process where modulo(42, serial_event_id) == 41 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.mod(params.v1,X0),params.v2)))", "params":{"v0":"serial_event_id","v1":42,"v2":41} ; multiplyOperator process where serial_event_id * 2 == 41 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.mul(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":41} ; multiplyOperatorReversed process where 2 * serial_event_id == 41 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.mul(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":41} ; multiplyFunction process where multiply(serial_event_id, 2) == 41 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.mul(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":41} ; multiplyFunctionReversed process where multiply(2, serial_event_id) == 41 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.mul(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":41} ; subtractOperator process where serial_event_id - 2 == 2147483647 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.sub(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":2147483647} ; subtractOperatorReversed process where 43 - serial_event_id == -2147483647 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.sub(params.v1,X0),params.v2)))", "params":{"v0":"serial_event_id","v1":43,"v2":-2147483647} ; subtractFunction process where subtract(serial_event_id, 2) == 2147483647 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.sub(X0,params.v1),params.v2)))", "params":{"v0":"serial_event_id","v1":2,"v2":2147483647} ; subtractFunctionReversed process where subtract(43, serial_event_id) == -2147483647 ; "script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0, X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.sub(params.v1,X0),params.v2)))", "params":{"v0":"serial_event_id","v1":43,"v2":-2147483647} ; eventQueryDefaultLimit process where true ; "size":10, ; eventQueryWithHead process where true | head 5 ; "size":5, ; eventQueryWithTail process where true | tail 5 ; "size":5, ; eventQueryWithHeadAndTail process where true | tail 10 | head 7 ; "size":7, ; // // like and regex // likeSingleArgNoPattern process where command_line like "net.exe" ; "term":{"command_line":{"value":"net.exe"} ; likeSingleArgNoPatternInsensitive process where command_line like~ "net.exe" ; "term":{"command_line":{"value":"net.exe","case_insensitive":true} ; likeSingleArg process where command_line like "n*t.exe" ; "wildcard":{"command_line":{"wildcard":"n*t.exe","boost":1.0} ; likeSingleArgInsensitive process where command_line like~ "n*t.exe" ; "wildcard":{"command_line":{"wildcard":"n*t.exe","case_insensitive":true,"boost":1.0} ; likeMultiArg process where command_line like ("n?t.e?e", "net.*") ; {"bool":{"should":[{"wildcard" "wildcard":{"command_line":{"wildcard":"n?t.e?e","boost":1.0} "wildcard":{"command_line":{"wildcard":"net.*","boost":1.0} ; likeMultiArgInsensitive process where command_line like~ ("n?t.e?e", "net.*") ; {"bool":{"should":[{"wildcard" "wildcard":{"command_line":{"wildcard":"n?t.e?e","case_insensitive":true,"boost":1.0} "wildcard":{"command_line":{"wildcard":"net.*","case_insensitive":true,"boost":1.0} ; likeMultiArgWithScript process where substring(command_line, 5) like ("net.e*", "net.e?e") ; {"bool":{"should":[{"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.regex(InternalEqlScriptUtils.substring(X0,params.v1,params.v2),params.v3)))" "params":{"v0":"command_line","v1":5,"v2":null,"v3":"^net\\.e.*$"}} {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.regex(InternalEqlScriptUtils.substring(X0,params.v1,params.v2),params.v3)))" "params":{"v0":"command_line","v1":5,"v2":null,"v3":"^net\\.e.e$"}} ; likeMultiArgWithScriptInsensitive process where substring(command_line, 5) like~ ("net.e*", "net.e?e") ; {"bool":{"should":[{"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.regex(InternalEqlScriptUtils.substring(X0,params.v1,params.v2),params.v3,params.v4)))" "params":{"v0":"command_line","v1":5,"v2":null,"v3":"^net\\.e.*$","v4":true}} {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.regex(InternalEqlScriptUtils.substring(X0,params.v1,params.v2),params.v3,params.v4)))" "params":{"v0":"command_line","v1":5,"v2":null,"v3":"^net\\.e.e$","v4":true}} ; regexSingleArgNoPattern process where command_line regex "net\\.exe" ; "term":{"command_line":{"value":"net.exe"} ; regexSingleArgNoPatternInsensitive process where command_line regex~ "net\\.exe" ; "term":{"command_line":{"value":"net.exe","case_insensitive":true} ; regexSingleArg process where command_line regex "^.*?net.exe" ; "regexp":{"command_line":{"value":"^.*?net.exe", ; regexSingleArgInsensitive process where command_line regex~ "^.*?net.exe" ; "regexp":{"command_line":{"value":"^.*?net.exe","flags_value":65791,"case_insensitive":true ; regexMultiArg process where command_line regex ("^.*?net.exe", "net\\.exe") ; "regexp":{"command_line":{"value":"^.*?net.exe|net\\.exe" ; regexMultiArgInsensitive process where command_line regex~ ("^.*?net.exe", "net\\.exe") ; "regexp":{"command_line":{"value":"^.*?net.exe|net\\.exe","flags_value":65791,"case_insensitive":true ; regexMultiMultiArgVariant process where command_line regex ("^.*?net.exe", "net\\.exe", "C:\\\\Windows\\\\system32\\\\net1\\s+") ; "regexp":{"command_line":{"value":"^.*?net.exe|net\\.exe|C:\\\\Windows\\\\system32\\\\net1\\s+" ; regexMultiMultiArgVariantInsensitive process where command_line regex~ ("^.*?net.exe", "net\\.exe", "C:\\\\Windows\\\\system32\\\\net1\\s+") ; "regexp":{"command_line":{"value":"^.*?net.exe|net\\.exe|C:\\\\Windows\\\\system32\\\\net1\\s+","flags_value":65791,"case_insensitive":true ; regexMultiArgWithScript process where substring(command_line, 5) regex ("^.*?net.exe", "net\\.exe", "C:\\\\Windows\\\\system32\\\\net1\\s+") ; {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.regex(InternalEqlScriptUtils.substring(X0,params.v1,params.v2),params.v3)))" "params":{"v0":"command_line","v1":5,"v2":null,"v3":"^.*?net.exe|net\\.exe|C:\\\\Windows\\\\system32\\\\net1\\s+"}} ; regexMultiArgWithScriptInsensitive process where substring(command_line, 5) regex~ ("^.*?net.exe", "net\\.exe", "C:\\\\Windows\\\\system32\\\\net1\\s+") ; {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.regex(InternalEqlScriptUtils.substring(X0,params.v1,params.v2),params.v3,params.v4)))" "params":{"v0":"command_line","v1":5,"v2":null,"v3":"^.*?net.exe|net\\.exe|C:\\\\Windows\\\\system32\\\\net1\\s+","v4":true}} ; conjunctionOfLengthFunctions process where length(file_name) > 0 and length(process_name) <= 0 ; {"bool":{"must":[{"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.gt(InternalEqlScriptUtils.length(X0),params.v1)))" "params":{"v0":"file_name.keyword","v1":0}} {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.lte(InternalEqlScriptUtils.length(X0),params.v1)))" "params":{"v0":"process_name","v1":0}} ; disjunctionOfLengthFunctions process where length(file_name) > 0 or length(process_name) <= 0 ; {"bool":{"should":[{"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.gt(InternalEqlScriptUtils.length(X0),params.v1)))" "params":{"v0":"file_name.keyword","v1":0}} {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.lte(InternalEqlScriptUtils.length(X0),params.v1)))" "params":{"v0":"process_name","v1":0}} ; conjunctionOfMultiFieldsFunctions process where concat(file_name, ".", process_name) == "foo" and add(pid, ppid) > 100 ; {"bool":{"must":[{"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalEqlScriptUtils.multiValueDocValues(doc,params.v1,X1->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalEqlScriptUtils.concat([X0,params.v2,X1]),params.v3))))" "params":{"v0":"file_name.keyword","v1":"process_name","v2":".","v3":"foo"}} {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalEqlScriptUtils.multiValueDocValues(doc,params.v1,X1->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.gt(InternalQlScriptUtils.add(X0,X1),params.v2))))" "params":{"v0":"pid","v1":"ppid","v2":100}} ; disjunctionOfMultiFieldsFunctions process where concat(file_name, ".", process_name) == "foo" or add(pid, ppid) > 100 ; {"bool":{"should":[{"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalEqlScriptUtils.multiValueDocValues(doc,params.v1,X1->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalEqlScriptUtils.concat([X0,params.v2,X1]),params.v3))))" "params":{"v0":"file_name.keyword","v1":"process_name","v2":".","v3":"foo"}} {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalEqlScriptUtils.multiValueDocValues(doc,params.v1,X1->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.gt(InternalQlScriptUtils.add(X0,X1),params.v2))))" "params":{"v0":"pid","v1":"ppid","v2":100}} ; // the conjunction will be applied on different values of the multi-value field conjunctionOfSameFieldSameFunction process where length(file_name) > 5 and length(file_name) < 10 ; {"bool":{"must":[{"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.gt(InternalEqlScriptUtils.length(X0),params.v1)))" "params":{"v0":"file_name.keyword","v1":5}} {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.lt(InternalEqlScriptUtils.length(X0),params.v1)))" "params":{"v0":"file_name.keyword","v1":10}} ; // the disjunction will be applied on different values of the multi-value field disjunctionOfSameFieldSameFunction process where length(file_name) > 5 or length(file_name) < 10 ; {"bool":{"should":[{"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.gt(InternalEqlScriptUtils.length(X0),params.v1)))" "params":{"v0":"file_name.keyword","v1":5}} {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.lt(InternalEqlScriptUtils.length(X0),params.v1)))" "params":{"v0":"file_name.keyword","v1":10}} ; isNullInScript process where null == (exit_code > -1) ; {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.isNull(InternalQlScriptUtils.gt(X0,params.v1))))" "params":{"v0":"exit_code","v1":-1}} ; isNull process where pid != null ; "must":[{"term":{"event.category":{"value":"process"}}},{"exists":{"field":"pid","boost":1.0}}] ; disjunctionOfFunctionAndNegatedFunction process where not (length(user) == 1) and length(user) == 1 ; {"bool":{"must":[{"script":{"script":{"source":"InternalQlScriptUtils.not(InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalEqlScriptUtils.length(X0),params.v1))))" "params":{"v0":"user","v1":1}} {"script":{"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalEqlScriptUtils.length(X0),params.v1)))" "params":{"v0":"user","v1":1}} ; twoRangesOnASingleField // in a multi-value fields scenario where we want different values of the same field to obey the two conditions we need to use // two range queries, because a single range query will apply the two conditions on the same value of the multi-value field. process where pid > 100 and pid < 200 ; {"bool":{"must":[{"range":{"pid":{"gt":100 {"range":{"pid":{"lt":200 ; // this type of query (disjunction/conjunction inside a function where one of the conditions is negated) is currently unsupported because // the "not" has an undefined location of where it should be used in the Painless script // disjunctionInsideFunctionWithNot // process where string(pid > 5 and pid != 10) == \"true\" versionFieldAutomaticConversion process where version > "2" ; {"range":{"version":{"gt":"2" ; versionFieldCast process where CONCAT(version, constant_keyword) > "2" ; {"script":{"source":"InternalEqlScriptUtils.multiValueDocValues(doc,params.v0,X0->InternalEqlScriptUtils.multiValueDocValues(doc,params.v1,X1->InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.gt(InternalEqlScriptUtils.concat([X0,X1]),params.v2))))" "params":{"v0":"version","v1":"constant_keyword","v2":"2"}} ;