The format is based on Keep a Changelog.
Released 2023-10-31
- Support for missing events feature used in Elasticsearch sequence queries
- Added IPv6 support for CidrMatch
- Removed the regex support for testing CidrMatch in favor of the native ipaddress module testing
Released 2023-09-01
- Support for sample base query type for Elasticsearch queries
Released 2023-08-02
- Support for runs count field on the first subquery
- Makefile install command
Released 2023-07-27
- Support for nested field validation within the arraySearch function
Released 2022-10-11
- Bug where as fields overlapped
askeyword
Released 2022-09-16
- Support for sequence
aliassyntax if the Endpoint flag is enabled
Released 2022-05-25
- update
lark-parserdependency to ~=0.12.0
Released 2022-03-15
- Support for
?optional field syntax if the Elasticsearch flag is enabled - Support for repeated sequences if the Elasticsearch flag is enabled
Released 2021-09-22
- Support for
\u{...}unicode escape sequences in"style strings
Released 2021-08-24
- Endpoint
$variablesyntax, behind parser flag
Released 2021-02-22
- Elasticsearch
like/like~syntax, behind parser flag - Elasticsearch
regex/regex~syntax, behind parser flag - Elasticsearch insensitive function syntax
function~(...), behind parser flag
Released 2021-01-14
- Optimization to combine adjacent
wildcard()calls over the same field
Released 2020-12-01
- Support for extending attributes within macros
Released 2020-11-24
- Elasticsearch insensitive wildcard
:syntax to support lists and wildcards, behind parser flag
Released 2020-10-20
- Toggle to parse with Elasticsearch syntax
- Parser rule for method syntax. No whitespace is allowed between the
:and opening(
Released 2020-07-27
- Uncaught exception when macros return a field
Released 2020-07-07
- Internal toggle to turn off case insensitivity
- Additional tests to handle case sensitive and insensitive modes
Released 2020-05-29
- Removed invalid index into empty array for
UniqueCountPipe.output_schemaswith custom walkers
Released 2020-05-28
case_sensitiveparameter tobetween
Released 2020-05-18
- Support for escaped identifiers in fields using `backtick` syntax
- Implemented three-value logic for boolean and null handling
- Migrate python tests to TOML files
- Optimization rule for inverting comparisons (
not (x <= y)==>x > y) - (Internal) AST nodes for
IsNull/IsNotNull
- (Internal) Changed the type system to use TypeHint/TypeFoldCheck/NodeInfo instead of tuples
- Treat wildcards the same on the left and right side of
==or!= - Removed forced float division (now
3 / 2==>1instead of1.5) - Made
<,<=,>=,>perform case-insensitive string comparisons
- Boolean optimizations:
x and true and yis correctly converted tox and y - DeMorgan logic for expanding
notnodes
- Deprecated sequence units besides
d,h,m,s,ms - Fractional sequence intervals
- Requirements.txt and moved into
setup.py
Released 2020-04-24
- Regular expressions generated by CidrMatch create non-capturing groups
Released 2020-04-23
- Function
eql.utils.get_query_type - Function
eql.utils.get_required_event_types - Function
eql.utils.uses_ancestry
Released 2020-04-06
- Made missing
whereraise aEqlSyntaxErrorinstead of aEqlSemanticError
Released 2020-03-18
Walkerauto-recursion on BaseNode
Released 2020-03-18
skip_optimizationstoggle to disable optimizations when parsing
- Moved optimization methods to
Optimizerclass.
Released 2020-03-11
CidrMatch.runsignature forcidrMatchoptimization
Released 2020-01-13
- Restored missing text from semantic error messages
Released 2020-01-09
- Correctly load definitions/schema with
eql.build.get_engine
Released 2019-11-01
- Method syntax
- Mathematical operators
+,-,*,/,% - Documentation for
match()function between()function for extracting the first substring between two stringscidrMatch()function and several helper methods for subnet matching and regex buildingextract_query_termsto extract the original text for each event in a query
- Parser from TatSu to Lark
- Examples for sequences in the Implementation Details page
- Compatibility for
eql shellwith Python 2.7
Released 2019-07-24
- Badges to README (PyPi, Twitter, ReadTheDocs, Gitter)
- Multiple values within
arrayContains()function arrayCountfunction for counting the number of matches in an array- Interactive shell with tables
- Validation system that matches types across schema and comparisons
SignatureMixinclass used to validate input and output arguments to functions, and pipes- Better error messages with multiple carets
- Base class for all EQL errors
- Test data, queries, and the expected output for unit tests
- Signature base class
- Helper
Walkerclasses with better methods and context for AST traversal ParserConfigclass with context manager that toggles thread-specific parser settings- Additional imports to the root
eqlmodule - Autogenerated parser with
make parserincluded in python module is_statefulfunction toeql.utilsto determine if a parsed query is statefulmatch_kvfunction toeql.utilsto autogenerate an AST from a dictionary of fields -> value(s)
- Rearranged imports,
eql.engines.nativeis noweql.engine - Using walker methods instead of NodeMethods to integrate with engine
- Moved function call evaluation to custom classes in
eql.functions - Moved highlighter from sphinx document generation to
eql.highlighters - Moved PipeCommand subclasses to
eql.pipes - Exception class names to all have Eql prefix
- Moved unit tests to
eql.testsmodule and rearranged test - Implementation of
byfor sequences, joins and pipes to perform case-insensitive checks
- Bug where wildcards were only matched on the first line of text in a field
- Default EQL schema. Now accepts all input and event types by default
Released 2019-04-17
- @itsnotapt Made
pidandppidfields configurable
Released 2018-12-13
- Broken implementation of streaming .jsonl files
Released 2019-12-05
- Support for gzipped files
Initial Release 2018-11_30
- EQL parser with Tatsu
- Evaluation engine in
eql.engines.native - Macro and constants for preprocessors
eqlCLI command for querying against a JSON file- Security schema by default (
file,network,process, etc.)