Endgame Announces Public Availability of Event Query Language (EQL)
Release provides a unified language, schema, and accompanying repository for security analytics including Atomic Blue, a curated set of EQL logic built in collaboration with our partners at Red Canary
Endgame, the leader in unified endpoint protection against targeted attacks, today announced the public availability of EQL, a powerful high-level and extensible language which enables detection and threat hunting against real world attacks aligned to the MITRE ATT&CK™ matrix. EQL has been released open source to enable security practitioners and encourage sharing and collaboration.
The release provides the core EQL language, a schema mapping to Sysmon which is the most commonly-used free tool used by security teams to generate telemetry data from Windows endpoints, and an extensive set of analytics including Atomic Blue. Atomic Blue is a curated set of EQL logic which enables the detection of events generated during execution of Atomic Red Team tests.
“We built EQL from the ground up to be universal, apply to multiple use cases, and avoid reliance on any particular architecture,” said Mark Dufresne, VP of Research at Endgame. “While EQL is part of the core technology that drives our endpoint security product, it can be extended to any security dataset.”
Advancing the collective understanding of threats and appropriate defenses is of the utmost importance to combat today’s security issues, but a lack of a common language limits this collective understanding. Most existing IOC and behavioral search tools are cumbersome, proprietary, and unintuitive. EQL supports sophisticated questions within a familiar syntax to limit the learning curve for users and maximize functionality. Powerful capabilities necessary for detection and defense are included, such as support for stateful queries, identification of event sequences, process ancestry tracking, joining multiple data sources, and simple stacking and filtering.
“Red Canary launched Atomic Red Team with the goal of making it easy for security teams to understand and test adversary techniques cataloged by ATT&CK. It is very exciting to see Endgame take the same approach to helping the security community improve detection and, ultimately, security outcomes. This comes with the same benefits that we’ve seen from ATT&CK, including a decrease in time spent on taxonomy and an increase in collaboration and pace of improvement,” said Casey Smith, Director of Applied Research at Red Canary.
Endgame plans to release additional data and analytics, as well as support for additional data sources and technologies in the coming weeks and months.
“We look forward to feedback and contributions from the community. We strongly believe that we are collectively lacking a good way to describe detection logic universally across datasets, and EQL is a start at addressing this limitation,” added Mark Dufresne, VP of Research at Endgame.