Supported EQL syntax for advanced query
Syntax help
The syntax help pane on Aurora Focus > Advanced Query lists the available Aurora Focus event classes and their associated artifacts, types, categories, and subcategories. As you type, syntax options and validation messages will display to help you build your query.
EQL query format
Aurora Focus EQL queries use the following format for a basic query:
<event class> where <event/artifact>.<facet> == <value>A query searches for events that are related to artifacts, so you need to use the relevant event class in your query.
The where clause can filter the results based on the event.type, event.category, event.subcategory, or artifact.facet values.
You can use or or and to combine multiple filter clauses.
Match any event class
You can use any for the event class, which maps to all available event classes.
Escape an event class
To escape event classes that contain a special character (for example, a hyphen or period), contain a space, or start with a numeral, use enclosing quotation marks (") or three enclosing quotation marks (""").
Escape a field name
To escape field names that contain a hyphen, space, or start with a numeral, use enclosing backticks (`). Use double backticks (``) to escape any backticks (`) in the field name.
Escape a value
If you use a special character in a value, including a quotation mark or a backslash, it must be escaped with a preceding a backslash (for example, \” for a quotation mark, \\ for a backslash).
Conditions
A condition consists of one or more criteria that an event must match. You can specify and combine criteria with the operators described in the following sections.
Comparison operators
|
Operator |
Description |
|---|---|
|
< |
This operator returns true if the value to the left of the operator is less than the value to the right. Otherwise, it returns false. |
|
<= |
This operator returns true if the value to the left of the operator is less than or equal to the value to the right. Otherwise, it returns false. |
|
== |
This operator returns true if the values to the left and right of the operator are equal. Otherwise, it returns false. Wildcards are not supported. |
|
: |
This operator returns true if strings to the left and right of the operator are equal. Otherwise, it returns false. Can be used to compare strings only. |
|
!= |
This operator returns true if the values to the left and right of the operator are not equal. Otherwise, it returns false. Wildcards are not supported. Note that NULL values are also filtered from the results (you can use == NULL to see the NULL results). |
|
>= |
This operator returns true if the value to the left of the operator is greater than or equal to the value to the right. Otherwise, it returns false. When comparing strings, the operator uses a case-sensitive lexicographic order. |
|
> |
This operator returns true if the value to the left of the operator is greater than the value to the right. Otherwise, it returns false. When comparing strings, the operator uses a case-sensitive lexicographic order. |
= is not supported as an equal operator. Use == or : instead.
Pattern comparison keywords
|
Operator |
Description |
|---|---|
|
like |
This operator returns true if the string to the left of the keyword matches the string to the right (case-sensitive). It supports list lookups (see lookup operators below) and can be used to compare strings only. For case-insensitive matching, use like~. |
|
regex |
This operator returns true if the string to the left of the keyword matches a regular expression to the right (see Regular expression syntax). It supports list lookups and can be used to compare strings only. For case-insensitive matching, use regex~. |
my_field like "VALUE*" // case-sensitive wildcard matching
my_field like~ "value*" // case-insensitive wildcard matching
my_field regex "VALUE[^Z].?" // case-sensitive regex matching
my_field regex~ "value[^z].?" // case-insensitive regex matchingLimitations for comparisons
You can’t chain comparisons. Use a logical operator between comparisons instead (see the logical operators section below).
For example, foo < bar <= baz is not supported but foo < bar and bar <= baz is supported.
You cannot compare a field to another field, even if the fields are changed using a function.
The following query is not valid because it compares the process.parent.name field value to the process.name field:
process where process.parent.name == "foo" and process.parent.name == process.nameThe following query is valid because it compares both the process.parent.name and process.name fields to static values:
process where process.parent.name == "foo" and process.name == "foo"Logical operators
|
Operator |
Description |
|---|---|
|
and |
This operator returns true only if the condition to the left and right both return true. Otherwise, it returns false. |
|
or |
This operator returns true if one of the conditions to the left or right are true. Otherwise, it returns false. |
|
not |
This operator returns true if the condition to the right is false. |
Lookup operators
|
Operator |
Description |
|---|---|
|
in |
This operator returns true if the value is contained in the provided list (case-sensitive). For case-insensitive matching, use in~. |
|
not in |
This operator returns true if the value is not contained in the provided list (case-sensitive). For case-insensitive matching, use not in~. |
|
: |
This operator returns true if the string is contained in the provided list. It can be used to compare strings only. |
|
like |
This operator returns true if the string matches a string in the provided list (case-sensitive). It can be used to compare strings only. For case-insensitive matching, use like~. |
|
regex |
This operator returns true if the string matches a regular expression pattern in the provided list (see Regular expression syntax). It can be used to compare strings only. For case-insensitive matching, use regex~. |
my_field in ("Value-1", "VALUE2", "VAL3") // case-sensitive
my_field in~ ("value-1", "value2", "val3") // case-insensitive
my_field not in ("Value-1", "VALUE2", "VAL3") // case-sensitive
my_field not in~ ("value-1", "value2", "val3") // case-insensitive
my_field : ("value-1", "value2", "val3") // case-insensitive
my_field like ("Value-*", "VALUE2", "VAL?") // case-sensitive
my_field like~ ("value-*", "value2", "val?") // case-insensitive
my_field regex ("[vV]alue-[0-9]", "VALUE[^2].?", "VAL3") // case-sensitive
my_field regex~ ("value-[0-9]", "value[^2].?", "val3") // case-insensitiveMatch any condition
Use the where true condition to match events solely on event category. For example, the following query matches any file events:
file where trueTo match any event, you can combine the any keyword with the where true condition:
any where true