archives

New DSL for secueity

Hello,thought I’d share a new DSL by endgame life querying security logs : https://www.endgame.com/blog/technical-blog/introducing-event-query-language

It is meant to help reason about security events. Best illustrated in this example:

What files were created by non-system users, first ran as a non-system process, and later ran as a system-level process within an hour?
sequence with maxspan=1h [file where event_subtype_full=="file_create_event" and user_name!="SYSTEM"] by file_path [process where user_name!="SYSTEM"] by process_path [process where user_name=="SYSTEM"] by process_path
While I could easily see how this can be expressed as SQL instead and perhaps backends do do that, I think it helps analyst to think about logic rather than data.

I think that there is a lot of improvement that can be had in. languages that help reason about (time) series and it’s a welcome addition to the DSL family.

By True Konrads at 2018-06-05 23:31 | LtU Forum | login or register to post comments | other blogs | 3029 reads

Lambda the Ultimate

User login

Navigation

New DSL for secueity

Browse archives

Active forum topics

New forum topics

Recent comments