|  | @@ -0,0 +1,46 @@
 | 
	
		
			
				|  |  | +[role="xpack"]
 | 
	
		
			
				|  |  | +[testenv="basic"]
 | 
	
		
			
				|  |  | +[[eql-search]]
 | 
	
		
			
				|  |  | +== Run an EQL search
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +experimental::[]
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +To start using EQL in {es}, first ensure your event data meets
 | 
	
		
			
				|  |  | +<<eql-requirements,EQL requirements>>. Then ingest or add the data to an {es}
 | 
	
		
			
				|  |  | +index.
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +The following <<docs-bulk,bulk API>> request adds some example log data to the
 | 
	
		
			
				|  |  | +`sec_logs` index. This log data follows the {ecs-ref}[Elastic Common Schema
 | 
	
		
			
				|  |  | +(ECS)].
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +[source,console]
 | 
	
		
			
				|  |  | +----
 | 
	
		
			
				|  |  | +PUT sec_logs/_bulk?refresh
 | 
	
		
			
				|  |  | +{"index":{"_index" : "sec_logs"}}
 | 
	
		
			
				|  |  | +{ "@timestamp": "2020-12-07T11:06:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } }
 | 
	
		
			
				|  |  | +{"index":{"_index" : "sec_logs"}}
 | 
	
		
			
				|  |  | +{ "@timestamp": "2020-12-07T11:07:08.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "image_load" }, "file": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } }
 | 
	
		
			
				|  |  | +{"index":{"_index" : "sec_logs"}}
 | 
	
		
			
				|  |  | +{ "@timestamp": "2020-12-07T11:07:09.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "regsvr32.exe", "path": "C:\\Windows\\System32\\regsvr32.exe" } }
 | 
	
		
			
				|  |  | +----
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +You can now use the EQL search API to search this index using an EQL query.
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +The following request searches the `sec_logs` index using the EQL query
 | 
	
		
			
				|  |  | +specified in the `rule` parameter. The EQL query matches events with an
 | 
	
		
			
				|  |  | +`event.category` of `process` that have a `process.name` of `cmd.exe`.
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +[source,console]
 | 
	
		
			
				|  |  | +----
 | 
	
		
			
				|  |  | +GET sec_logs/_eql/search
 | 
	
		
			
				|  |  | +{
 | 
	
		
			
				|  |  | +  "rule": """
 | 
	
		
			
				|  |  | +    process where process.name == "cmd.exe"
 | 
	
		
			
				|  |  | +  """
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +----
 | 
	
		
			
				|  |  | +// TEST[continued]
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +Because the `sec_log` index follows the ECS, you don't need to specify the
 | 
	
		
			
				|  |  | +event type or timestamp fields. The request uses the `event.category` and
 | 
	
		
			
				|  |  | +`@timestamp` fields by default.
 |