EQL’s highway to shell

In July 2019, Paul Ewing and Ross Wolf discussed recent advancements in the Event Query Language (EQL), a tool developed by Endgame for expressing relationships between events in security data. This summer saw EQL presentations at conferences like Circle City Con and Bsides San Antonio, with plans to feature at Blackhat USA alongside Red Canary. New updates to EQL include an interactive shell that enhances data exploration with features such as syntax highlighting, tab completion, and the ability to export results to CSV. Additionally, EQL has expanded its Analytics Library with over 60 new analytics mapped to MITRE ATT&CK™ techniques, which help enrich and contextualize security data. These enhancements aim to aid security analysts in distinguishing between benign and potentially malicious activities. The update also improved query validation, offering real-time detection capabilities and error messaging for users. Endgame encourages community collaboration and has streamlined its contribution process, inviting users to engage via platforms like Gitter, Twitter, and GitHub.