EQL: Replace ?"..." with """...""" for unescaped strings (#62539)

Use triple double quotes enclosing a string literal to interpret it
as unescaped, in order to use `?` for marking query params and avoid
user confusion. `?` also usually implies regex expressions.

Any character inside the `"""` beginning-closing markings is considered
raw and the only thing that is not permitted is the `"""` sequence itself.
If a user wants to use that, needs to resort to the normal `"` string literal
and use proper escaping.

Relates to #61659

x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml

@@ -138,15 +138,15 @@ expected_event_ids  = [98]
 notes = "regexp doesn't support character classes"
 query = '''
 //
-//                                ?".*?net1\s+localgroup.*?")
-process where match(command_line, ?".*?net1[ ]+localgroup.*?")
+//                                """.*?net1\s+localgroup.*?""")
+process where match(command_line, """.*?net1[ ]+localgroup.*?""")
 '''
 
 [[queries]]
 name = "matchLiteAdditional"
 expected_event_ids  = [98]
 query = '''
-process where matchLite(command_line, ?".*?net1.*?")
+process where matchLite(command_line, """.*?net1.*?""")
 '''
 
 [[queries]]
@@ -154,8 +154,8 @@ name = "matchWithCharacterClasses2"
 expected_event_ids  = [98]
 notes = "regexp doesn't support predefined character classes (like \\s)"
 query = '''
-//                                ?".*?net1\s+\w{4,15}\s+.*?"
-process where match(command_line, ?".*?net1[ ]+[a-z]{4,15}[ ]+.*?")
+//                                """.*?net1\s+\w{4,15}\s+.*?"""
+process where match(command_line, """.*?net1[ ]+[a-z]{4,15}[ ]+.*?""")
 '''
 
 

x-pack/plugin/eql/qa/common/src/main/resources/test_queries.toml

@@ -1399,21 +1399,21 @@ registry where bytes_written_string_list[1] : "en"
 [[queries]]
 name = "matchLite1"
 query = '''
-process where matchLite(command_line, ?".*?net1\s+localgroup\s+.*?")
+process where matchLite(command_line, """.*?net1\s+localgroup\s+.*?""")
 '''
 expected_event_ids  = [98]
 
 [[queries]]
 name = "matchLite2"
 query = '''
-process where matchLite(command_line, ?".*?net1\s+\w+\s+.*?")
+process where matchLite(command_line, """.*?net1\s+\w+\s+.*?""")
 '''
 expected_event_ids  = [98]
 
 [[queries]]
 name = "matchLite3"
 query = '''
-process where matchLite(command_line, ?".*?net1\s+\w{4,15}\s+.*?")
+process where matchLite(command_line, """.*?net1\s+\w{4,15}\s+.*?""")
 '''
 expected_event_ids  = [98]
 
@@ -1421,13 +1421,13 @@ expected_event_ids  = [98]
 name = "match1"
 expected_event_ids  = [98]
 query = '''
-process where match(command_line, ?".*?net1\s+\w{4,15}\s+.*?")
+process where match(command_line, """.*?net1\s+\w{4,15}\s+.*?""")
 '''
 
 [[queries]]
 name = "matchLite4"
 query = '''
-process where matchLite(command_line, ?".*?net1\s+[localgrup]{4,15}\s+.*?")
+process where matchLite(command_line, """.*?net1\s+[localgrup]{4,15}\s+.*?""")
 '''
 expected_event_ids  = [98]
 

x-pack/plugin/eql/qa/common/src/main/resources/test_queries_unsupported.toml

@@ -797,21 +797,21 @@ registry where bytes_written_string_list[1] : "en"
 [[queries]]
 name = "matchLite1"
 query = '''
-process where matchLite(command_line, ?".*?net1\s+localgroup\s+.*?")
+process where matchLite(command_line, """.*?net1\s+localgroup\s+.*?""")
 '''
 expected_event_ids  = [98]
 
 [[queries]]
 name = "matchLite2"
 query = '''
-process where matchLite(command_line, ?".*?net1\s+\w+\s+.*?")
+process where matchLite(command_line, """.*?net1\s+\w+\s+.*?""")
 '''
 expected_event_ids  = [98]
 
 [[queries]]
 name = "matchLite3"
 query = '''
-process where matchLite(command_line, ?".*?net1\s+\w{4,15}\s+.*?")
+process where matchLite(command_line, """.*?net1\s+\w{4,15}\s+.*?""")
 '''
 expected_event_ids  = [98]
 
@@ -819,13 +819,13 @@ expected_event_ids  = [98]
 name = "match1"
 expected_event_ids  = [98]
 query = '''
-process where match(command_line, ?".*?net1\s+\w{4,15}\s+.*?")
+process where match(command_line, """.*?net1\s+\w{4,15}\s+.*?""")
 '''
 
 [[queries]]
 name = "matchLite4"
 query = '''
-process where matchLite(command_line, ?".*?net1\s+[localgrup]{4,15}\s+.*?")
+process where matchLite(command_line, """.*?net1\s+[localgrup]{4,15}\s+.*?""")
 '''
 expected_event_ids  = [98]
 

x-pack/plugin/eql/src/main/antlr/EqlBase.g4

@@ -202,6 +202,7 @@ STRING
     | '"'   ('\\' [btnfr"'\\] | ~[\r\n"\\])* '"'
     | '?"'  ('\\"' |~["\r\n])* '"'
     | '?\'' ('\\\'' |~['\r\n])* '\''
+    | '"""' (~[\r\n])*? '"""' '"'? '"'?
     ;
 
 INTEGER_VALUE

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/AbstractBuilder.java

@@ -122,10 +122,15 @@ abstract class AbstractBuilder extends EqlBaseBaseVisitor<Object> {
             return null;
         }
 
-        // unescaped strings can be interpreted directly
+        // catch old method of ?" and ?' to define unescaped strings
         if (text.startsWith("?")) {
-            checkForSingleQuotedString(source, text, 1);
-            return text.substring(2, text.length() - 1);
+            throw new ParsingException(source,
+                "Use triple double quotes [\"\"\"] to define unescaped string literals, not [?{}]", text.charAt(1));
+        }
+
+        // unescaped strings can be interpreted directly
+        if (text.startsWith("\"\"\"")) {
+            return text.substring(3, text.length() - 3);
         }
 
         checkForSingleQuotedString(source, text, 0);

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseLexer.java

@@ -106,7 +106,7 @@ class EqlBaseLexer extends Lexer {
   public ATN getATN() { return _ATN; }
 
   public static final String _serializedATN =
-    "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\2.\u0186\b\1\4\2\t"+
+    "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\2.\u019a\b\1\4\2\t"+
     "\2\4\3\t\3\4\4\t\4\4\5\t\5\4\6\t\6\4\7\t\7\4\b\t\b\4\t\t\t\4\n\t\n\4\13"+
     "\t\13\4\f\t\f\4\r\t\r\4\16\t\16\4\17\t\17\4\20\t\20\4\21\t\21\4\22\t\22"+
     "\4\23\t\23\4\24\t\24\4\25\t\25\4\26\t\26\4\27\t\27\4\30\t\30\4\31\t\31"+
@@ -124,124 +124,133 @@ class EqlBaseLexer extends Lexer {
     "\'\3\'\7\'\u00ec\n\'\f\'\16\'\u00ef\13\'\3\'\3\'\3\'\3\'\3\'\7\'\u00f6"+
     "\n\'\f\'\16\'\u00f9\13\'\3\'\3\'\3\'\3\'\3\'\3\'\3\'\7\'\u0102\n\'\f\'"+
     "\16\'\u0105\13\'\3\'\3\'\3\'\3\'\3\'\3\'\3\'\7\'\u010e\n\'\f\'\16\'\u0111"+
-    "\13\'\3\'\5\'\u0114\n\'\3(\6(\u0117\n(\r(\16(\u0118\3)\6)\u011c\n)\r)"+
-    "\16)\u011d\3)\3)\7)\u0122\n)\f)\16)\u0125\13)\3)\3)\6)\u0129\n)\r)\16"+
-    ")\u012a\3)\6)\u012e\n)\r)\16)\u012f\3)\3)\7)\u0134\n)\f)\16)\u0137\13"+
-    ")\5)\u0139\n)\3)\3)\3)\3)\6)\u013f\n)\r)\16)\u0140\3)\3)\5)\u0145\n)\3"+
-    "*\3*\5*\u0149\n*\3*\3*\3*\7*\u014e\n*\f*\16*\u0151\13*\3+\3+\5+\u0155"+
-    "\n+\3+\6+\u0158\n+\r+\16+\u0159\3,\3,\3-\3-\3.\3.\3.\3.\7.\u0164\n.\f"+
-    ".\16.\u0167\13.\3.\5.\u016a\n.\3.\5.\u016d\n.\3.\3.\3/\3/\3/\3/\3/\7/"+
-    "\u0176\n/\f/\16/\u0179\13/\3/\3/\3/\3/\3/\3\60\6\60\u0181\n\60\r\60\16"+
-    "\60\u0182\3\60\3\60\3\u0177\2\61\3\3\5\4\7\5\t\6\13\7\r\b\17\t\21\n\23"+
-    "\13\25\f\27\r\31\16\33\17\35\20\37\21!\22#\23%\24\'\25)\26+\27-\30/\31"+
-    "\61\32\63\33\65\34\67\359\36;\37= ?!A\"C#E$G%I&K\'M(O)Q*S+U\2W\2Y\2[,"+
-    "]-_.\3\2\17\3\2bb\n\2$$))^^ddhhppttvv\6\2\f\f\17\17))^^\6\2\f\f\17\17"+
-    "$$^^\5\2\f\f\17\17$$\5\2\f\f\17\17))\4\2BBaa\4\2GGgg\4\2--//\3\2\62;\4"+
-    "\2C\\c|\4\2\f\f\17\17\5\2\13\f\17\17\"\"\u01a6\2\3\3\2\2\2\2\5\3\2\2\2"+
-    "\2\7\3\2\2\2\2\t\3\2\2\2\2\13\3\2\2\2\2\r\3\2\2\2\2\17\3\2\2\2\2\21\3"+
-    "\2\2\2\2\23\3\2\2\2\2\25\3\2\2\2\2\27\3\2\2\2\2\31\3\2\2\2\2\33\3\2\2"+
-    "\2\2\35\3\2\2\2\2\37\3\2\2\2\2!\3\2\2\2\2#\3\2\2\2\2%\3\2\2\2\2\'\3\2"+
-    "\2\2\2)\3\2\2\2\2+\3\2\2\2\2-\3\2\2\2\2/\3\2\2\2\2\61\3\2\2\2\2\63\3\2"+
-    "\2\2\2\65\3\2\2\2\2\67\3\2\2\2\29\3\2\2\2\2;\3\2\2\2\2=\3\2\2\2\2?\3\2"+
-    "\2\2\2A\3\2\2\2\2C\3\2\2\2\2E\3\2\2\2\2G\3\2\2\2\2I\3\2\2\2\2K\3\2\2\2"+
-    "\2M\3\2\2\2\2O\3\2\2\2\2Q\3\2\2\2\2S\3\2\2\2\2[\3\2\2\2\2]\3\2\2\2\2_"+
-    "\3\2\2\2\3a\3\2\2\2\5e\3\2\2\2\7i\3\2\2\2\tl\3\2\2\2\13r\3\2\2\2\ru\3"+
-    "\2\2\2\17z\3\2\2\2\21\u0082\3\2\2\2\23\u0086\3\2\2\2\25\u008b\3\2\2\2"+
-    "\27\u008e\3\2\2\2\31\u0091\3\2\2\2\33\u009a\3\2\2\2\35\u009f\3\2\2\2\37"+
-    "\u00a5\3\2\2\2!\u00ab\3\2\2\2#\u00b0\3\2\2\2%\u00b2\3\2\2\2\'\u00b4\3"+
-    "\2\2\2)\u00b7\3\2\2\2+\u00ba\3\2\2\2-\u00bc\3\2\2\2/\u00bf\3\2\2\2\61"+
-    "\u00c1\3\2\2\2\63\u00c4\3\2\2\2\65\u00c6\3\2\2\2\67\u00c8\3\2\2\29\u00ca"+
-    "\3\2\2\2;\u00cc\3\2\2\2=\u00ce\3\2\2\2?\u00d0\3\2\2\2A\u00d2\3\2\2\2C"+
-    "\u00d4\3\2\2\2E\u00d6\3\2\2\2G\u00d8\3\2\2\2I\u00da\3\2\2\2K\u00dc\3\2"+
-    "\2\2M\u0113\3\2\2\2O\u0116\3\2\2\2Q\u0144\3\2\2\2S\u0148\3\2\2\2U\u0152"+
-    "\3\2\2\2W\u015b\3\2\2\2Y\u015d\3\2\2\2[\u015f\3\2\2\2]\u0170\3\2\2\2_"+
-    "\u0180\3\2\2\2ab\7c\2\2bc\7p\2\2cd\7f\2\2d\4\3\2\2\2ef\7c\2\2fg\7p\2\2"+
-    "gh\7{\2\2h\6\3\2\2\2ij\7d\2\2jk\7{\2\2k\b\3\2\2\2lm\7h\2\2mn\7c\2\2no"+
-    "\7n\2\2op\7u\2\2pq\7g\2\2q\n\3\2\2\2rs\7k\2\2st\7p\2\2t\f\3\2\2\2uv\7"+
-    "l\2\2vw\7q\2\2wx\7k\2\2xy\7p\2\2y\16\3\2\2\2z{\7o\2\2{|\7c\2\2|}\7z\2"+
-    "\2}~\7u\2\2~\177\7r\2\2\177\u0080\7c\2\2\u0080\u0081\7p\2\2\u0081\20\3"+
-    "\2\2\2\u0082\u0083\7p\2\2\u0083\u0084\7q\2\2\u0084\u0085\7v\2\2\u0085"+
-    "\22\3\2\2\2\u0086\u0087\7p\2\2\u0087\u0088\7w\2\2\u0088\u0089\7n\2\2\u0089"+
-    "\u008a\7n\2\2\u008a\24\3\2\2\2\u008b\u008c\7q\2\2\u008c\u008d\7h\2\2\u008d"+
-    "\26\3\2\2\2\u008e\u008f\7q\2\2\u008f\u0090\7t\2\2\u0090\30\3\2\2\2\u0091"+
-    "\u0092\7u\2\2\u0092\u0093\7g\2\2\u0093\u0094\7s\2\2\u0094\u0095\7w\2\2"+
-    "\u0095\u0096\7g\2\2\u0096\u0097\7p\2\2\u0097\u0098\7e\2\2\u0098\u0099"+
-    "\7g\2\2\u0099\32\3\2\2\2\u009a\u009b\7v\2\2\u009b\u009c\7t\2\2\u009c\u009d"+
-    "\7w\2\2\u009d\u009e\7g\2\2\u009e\34\3\2\2\2\u009f\u00a0\7w\2\2\u00a0\u00a1"+
-    "\7p\2\2\u00a1\u00a2\7v\2\2\u00a2\u00a3\7k\2\2\u00a3\u00a4\7n\2\2\u00a4"+
-    "\36\3\2\2\2\u00a5\u00a6\7y\2\2\u00a6\u00a7\7j\2\2\u00a7\u00a8\7g\2\2\u00a8"+
-    "\u00a9\7t\2\2\u00a9\u00aa\7g\2\2\u00aa \3\2\2\2\u00ab\u00ac\7y\2\2\u00ac"+
-    "\u00ad\7k\2\2\u00ad\u00ae\7v\2\2\u00ae\u00af\7j\2\2\u00af\"\3\2\2\2\u00b0"+
-    "\u00b1\7<\2\2\u00b1$\3\2\2\2\u00b2\u00b3\7?\2\2\u00b3&\3\2\2\2\u00b4\u00b5"+
-    "\7?\2\2\u00b5\u00b6\7?\2\2\u00b6(\3\2\2\2\u00b7\u00b8\7#\2\2\u00b8\u00b9"+
-    "\7?\2\2\u00b9*\3\2\2\2\u00ba\u00bb\7>\2\2\u00bb,\3\2\2\2\u00bc\u00bd\7"+
-    ">\2\2\u00bd\u00be\7?\2\2\u00be.\3\2\2\2\u00bf\u00c0\7@\2\2\u00c0\60\3"+
-    "\2\2\2\u00c1\u00c2\7@\2\2\u00c2\u00c3\7?\2\2\u00c3\62\3\2\2\2\u00c4\u00c5"+
-    "\7-\2\2\u00c5\64\3\2\2\2\u00c6\u00c7\7/\2\2\u00c7\66\3\2\2\2\u00c8\u00c9"+
-    "\7,\2\2\u00c98\3\2\2\2\u00ca\u00cb\7\61\2\2\u00cb:\3\2\2\2\u00cc\u00cd"+
-    "\7\'\2\2\u00cd<\3\2\2\2\u00ce\u00cf\7\60\2\2\u00cf>\3\2\2\2\u00d0\u00d1"+
-    "\7.\2\2\u00d1@\3\2\2\2\u00d2\u00d3\7]\2\2\u00d3B\3\2\2\2\u00d4\u00d5\7"+
-    "_\2\2\u00d5D\3\2\2\2\u00d6\u00d7\7*\2\2\u00d7F\3\2\2\2\u00d8\u00d9\7+"+
-    "\2\2\u00d9H\3\2\2\2\u00da\u00db\7~\2\2\u00dbJ\3\2\2\2\u00dc\u00e2\7b\2"+
-    "\2\u00dd\u00e1\n\2\2\2\u00de\u00df\7b\2\2\u00df\u00e1\7b\2\2\u00e0\u00dd"+
-    "\3\2\2\2\u00e0\u00de\3\2\2\2\u00e1\u00e4\3\2\2\2\u00e2\u00e0\3\2\2\2\u00e2"+
-    "\u00e3\3\2\2\2\u00e3\u00e5\3\2\2\2\u00e4\u00e2\3\2\2\2\u00e5\u00e6\7b"+
-    "\2\2\u00e6L\3\2\2\2\u00e7\u00ed\7)\2\2\u00e8\u00e9\7^\2\2\u00e9\u00ec"+
-    "\t\3\2\2\u00ea\u00ec\n\4\2\2\u00eb\u00e8\3\2\2\2\u00eb\u00ea\3\2\2\2\u00ec"+
-    "\u00ef\3\2\2\2\u00ed\u00eb\3\2\2\2\u00ed\u00ee\3\2\2\2\u00ee\u00f0\3\2"+
-    "\2\2\u00ef\u00ed\3\2\2\2\u00f0\u0114\7)\2\2\u00f1\u00f7\7$\2\2\u00f2\u00f3"+
-    "\7^\2\2\u00f3\u00f6\t\3\2\2\u00f4\u00f6\n\5\2\2\u00f5\u00f2\3\2\2\2\u00f5"+
-    "\u00f4\3\2\2\2\u00f6\u00f9\3\2\2\2\u00f7\u00f5\3\2\2\2\u00f7\u00f8\3\2"+
-    "\2\2\u00f8\u00fa\3\2\2\2\u00f9\u00f7\3\2\2\2\u00fa\u0114\7$\2\2\u00fb"+
-    "\u00fc\7A\2\2\u00fc\u00fd\7$\2\2\u00fd\u0103\3\2\2\2\u00fe\u00ff\7^\2"+
-    "\2\u00ff\u0102\7$\2\2\u0100\u0102\n\6\2\2\u0101\u00fe\3\2\2\2\u0101\u0100"+
-    "\3\2\2\2\u0102\u0105\3\2\2\2\u0103\u0101\3\2\2\2\u0103\u0104\3\2\2\2\u0104"+
-    "\u0106\3\2\2\2\u0105\u0103\3\2\2\2\u0106\u0114\7$\2\2\u0107\u0108\7A\2"+
-    "\2\u0108\u0109\7)\2\2\u0109\u010f\3\2\2\2\u010a\u010b\7^\2\2\u010b\u010e"+
-    "\7)\2\2\u010c\u010e\n\7\2\2\u010d\u010a\3\2\2\2\u010d\u010c\3\2\2\2\u010e"+
-    "\u0111\3\2\2\2\u010f\u010d\3\2\2\2\u010f\u0110\3\2\2\2\u0110\u0112\3\2"+
-    "\2\2\u0111\u010f\3\2\2\2\u0112\u0114\7)\2\2\u0113\u00e7\3\2\2\2\u0113"+
-    "\u00f1\3\2\2\2\u0113\u00fb\3\2\2\2\u0113\u0107\3\2\2\2\u0114N\3\2\2\2"+
-    "\u0115\u0117\5W,\2\u0116\u0115\3\2\2\2\u0117\u0118\3\2\2\2\u0118\u0116"+
-    "\3\2\2\2\u0118\u0119\3\2\2\2\u0119P\3\2\2\2\u011a\u011c\5W,\2\u011b\u011a"+
-    "\3\2\2\2\u011c\u011d\3\2\2\2\u011d\u011b\3\2\2\2\u011d\u011e\3\2\2\2\u011e"+
-    "\u011f\3\2\2\2\u011f\u0123\5=\37\2\u0120\u0122\5W,\2\u0121\u0120\3\2\2"+
-    "\2\u0122\u0125\3\2\2\2\u0123\u0121\3\2\2\2\u0123\u0124\3\2\2\2\u0124\u0145"+
-    "\3\2\2\2\u0125\u0123\3\2\2\2\u0126\u0128\5=\37\2\u0127\u0129\5W,\2\u0128"+
-    "\u0127\3\2\2\2\u0129\u012a\3\2\2\2\u012a\u0128\3\2\2\2\u012a\u012b\3\2"+
-    "\2\2\u012b\u0145\3\2\2\2\u012c\u012e\5W,\2\u012d\u012c\3\2\2\2\u012e\u012f"+
-    "\3\2\2\2\u012f\u012d\3\2\2\2\u012f\u0130\3\2\2\2\u0130\u0138\3\2\2\2\u0131"+
-    "\u0135\5=\37\2\u0132\u0134\5W,\2\u0133\u0132\3\2\2\2\u0134\u0137\3\2\2"+
-    "\2\u0135\u0133\3\2\2\2\u0135\u0136\3\2\2\2\u0136\u0139\3\2\2\2\u0137\u0135"+
-    "\3\2\2\2\u0138\u0131\3\2\2\2\u0138\u0139\3\2\2\2\u0139\u013a\3\2\2\2\u013a"+
-    "\u013b\5U+\2\u013b\u0145\3\2\2\2\u013c\u013e\5=\37\2\u013d\u013f\5W,\2"+
-    "\u013e\u013d\3\2\2\2\u013f\u0140\3\2\2\2\u0140\u013e\3\2\2\2\u0140\u0141"+
-    "\3\2\2\2\u0141\u0142\3\2\2\2\u0142\u0143\5U+\2\u0143\u0145\3\2\2\2\u0144"+
-    "\u011b\3\2\2\2\u0144\u0126\3\2\2\2\u0144\u012d\3\2\2\2\u0144\u013c\3\2"+
-    "\2\2\u0145R\3\2\2\2\u0146\u0149\5Y-\2\u0147\u0149\t\b\2\2\u0148\u0146"+
-    "\3\2\2\2\u0148\u0147\3\2\2\2\u0149\u014f\3\2\2\2\u014a\u014e\5Y-\2\u014b"+
-    "\u014e\5W,\2\u014c\u014e\7a\2\2\u014d\u014a\3\2\2\2\u014d\u014b\3\2\2"+
-    "\2\u014d\u014c\3\2\2\2\u014e\u0151\3\2\2\2\u014f\u014d\3\2\2\2\u014f\u0150"+
-    "\3\2\2\2\u0150T\3\2\2\2\u0151\u014f\3\2\2\2\u0152\u0154\t\t\2\2\u0153"+
-    "\u0155\t\n\2\2\u0154\u0153\3\2\2\2\u0154\u0155\3\2\2\2\u0155\u0157\3\2"+
-    "\2\2\u0156\u0158\5W,\2\u0157\u0156\3\2\2\2\u0158\u0159\3\2\2\2\u0159\u0157"+
-    "\3\2\2\2\u0159\u015a\3\2\2\2\u015aV\3\2\2\2\u015b\u015c\t\13\2\2\u015c"+
-    "X\3\2\2\2\u015d\u015e\t\f\2\2\u015eZ\3\2\2\2\u015f\u0160\7\61\2\2\u0160"+
-    "\u0161\7\61\2\2\u0161\u0165\3\2\2\2\u0162\u0164\n\r\2\2\u0163\u0162\3"+
-    "\2\2\2\u0164\u0167\3\2\2\2\u0165\u0163\3\2\2\2\u0165\u0166\3\2\2\2\u0166"+
-    "\u0169\3\2\2\2\u0167\u0165\3\2\2\2\u0168\u016a\7\17\2\2\u0169\u0168\3"+
-    "\2\2\2\u0169\u016a\3\2\2\2\u016a\u016c\3\2\2\2\u016b\u016d\7\f\2\2\u016c"+
-    "\u016b\3\2\2\2\u016c\u016d\3\2\2\2\u016d\u016e\3\2\2\2\u016e\u016f\b."+
-    "\2\2\u016f\\\3\2\2\2\u0170\u0171\7\61\2\2\u0171\u0172\7,\2\2\u0172\u0177"+
-    "\3\2\2\2\u0173\u0176\5]/\2\u0174\u0176\13\2\2\2\u0175\u0173\3\2\2\2\u0175"+
-    "\u0174\3\2\2\2\u0176\u0179\3\2\2\2\u0177\u0178\3\2\2\2\u0177\u0175\3\2"+
-    "\2\2\u0178\u017a\3\2\2\2\u0179\u0177\3\2\2\2\u017a\u017b\7,\2\2\u017b"+
-    "\u017c\7\61\2\2\u017c\u017d\3\2\2\2\u017d\u017e\b/\2\2\u017e^\3\2\2\2"+
-    "\u017f\u0181\t\16\2\2\u0180\u017f\3\2\2\2\u0181\u0182\3\2\2\2\u0182\u0180"+
-    "\3\2\2\2\u0182\u0183\3\2\2\2\u0183\u0184\3\2\2\2\u0184\u0185\b\60\2\2"+
-    "\u0185`\3\2\2\2\"\2\u00e0\u00e2\u00eb\u00ed\u00f5\u00f7\u0101\u0103\u010d"+
-    "\u010f\u0113\u0118\u011d\u0123\u012a\u012f\u0135\u0138\u0140\u0144\u0148"+
-    "\u014d\u014f\u0154\u0159\u0165\u0169\u016c\u0175\u0177\u0182\3\2\3\2";
+    "\13\'\3\'\3\'\3\'\3\'\3\'\3\'\7\'\u0119\n\'\f\'\16\'\u011c\13\'\3\'\3"+
+    "\'\3\'\3\'\3\'\5\'\u0123\n\'\3\'\5\'\u0126\n\'\5\'\u0128\n\'\3(\6(\u012b"+
+    "\n(\r(\16(\u012c\3)\6)\u0130\n)\r)\16)\u0131\3)\3)\7)\u0136\n)\f)\16)"+
+    "\u0139\13)\3)\3)\6)\u013d\n)\r)\16)\u013e\3)\6)\u0142\n)\r)\16)\u0143"+
+    "\3)\3)\7)\u0148\n)\f)\16)\u014b\13)\5)\u014d\n)\3)\3)\3)\3)\6)\u0153\n"+
+    ")\r)\16)\u0154\3)\3)\5)\u0159\n)\3*\3*\5*\u015d\n*\3*\3*\3*\7*\u0162\n"+
+    "*\f*\16*\u0165\13*\3+\3+\5+\u0169\n+\3+\6+\u016c\n+\r+\16+\u016d\3,\3"+
+    ",\3-\3-\3.\3.\3.\3.\7.\u0178\n.\f.\16.\u017b\13.\3.\5.\u017e\n.\3.\5."+
+    "\u0181\n.\3.\3.\3/\3/\3/\3/\3/\7/\u018a\n/\f/\16/\u018d\13/\3/\3/\3/\3"+
+    "/\3/\3\60\6\60\u0195\n\60\r\60\16\60\u0196\3\60\3\60\4\u011a\u018b\2\61"+
+    "\3\3\5\4\7\5\t\6\13\7\r\b\17\t\21\n\23\13\25\f\27\r\31\16\33\17\35\20"+
+    "\37\21!\22#\23%\24\'\25)\26+\27-\30/\31\61\32\63\33\65\34\67\359\36;\37"+
+    "= ?!A\"C#E$G%I&K\'M(O)Q*S+U\2W\2Y\2[,]-_.\3\2\17\3\2bb\n\2$$))^^ddhhp"+
+    "pttvv\6\2\f\f\17\17))^^\6\2\f\f\17\17$$^^\5\2\f\f\17\17$$\5\2\f\f\17\17"+
+    "))\4\2\f\f\17\17\4\2BBaa\4\2GGgg\4\2--//\3\2\62;\4\2C\\c|\5\2\13\f\17"+
+    "\17\"\"\u01be\2\3\3\2\2\2\2\5\3\2\2\2\2\7\3\2\2\2\2\t\3\2\2\2\2\13\3\2"+
+    "\2\2\2\r\3\2\2\2\2\17\3\2\2\2\2\21\3\2\2\2\2\23\3\2\2\2\2\25\3\2\2\2\2"+
+    "\27\3\2\2\2\2\31\3\2\2\2\2\33\3\2\2\2\2\35\3\2\2\2\2\37\3\2\2\2\2!\3\2"+
+    "\2\2\2#\3\2\2\2\2%\3\2\2\2\2\'\3\2\2\2\2)\3\2\2\2\2+\3\2\2\2\2-\3\2\2"+
+    "\2\2/\3\2\2\2\2\61\3\2\2\2\2\63\3\2\2\2\2\65\3\2\2\2\2\67\3\2\2\2\29\3"+
+    "\2\2\2\2;\3\2\2\2\2=\3\2\2\2\2?\3\2\2\2\2A\3\2\2\2\2C\3\2\2\2\2E\3\2\2"+
+    "\2\2G\3\2\2\2\2I\3\2\2\2\2K\3\2\2\2\2M\3\2\2\2\2O\3\2\2\2\2Q\3\2\2\2\2"+
+    "S\3\2\2\2\2[\3\2\2\2\2]\3\2\2\2\2_\3\2\2\2\3a\3\2\2\2\5e\3\2\2\2\7i\3"+
+    "\2\2\2\tl\3\2\2\2\13r\3\2\2\2\ru\3\2\2\2\17z\3\2\2\2\21\u0082\3\2\2\2"+
+    "\23\u0086\3\2\2\2\25\u008b\3\2\2\2\27\u008e\3\2\2\2\31\u0091\3\2\2\2\33"+
+    "\u009a\3\2\2\2\35\u009f\3\2\2\2\37\u00a5\3\2\2\2!\u00ab\3\2\2\2#\u00b0"+
+    "\3\2\2\2%\u00b2\3\2\2\2\'\u00b4\3\2\2\2)\u00b7\3\2\2\2+\u00ba\3\2\2\2"+
+    "-\u00bc\3\2\2\2/\u00bf\3\2\2\2\61\u00c1\3\2\2\2\63\u00c4\3\2\2\2\65\u00c6"+
+    "\3\2\2\2\67\u00c8\3\2\2\29\u00ca\3\2\2\2;\u00cc\3\2\2\2=\u00ce\3\2\2\2"+
+    "?\u00d0\3\2\2\2A\u00d2\3\2\2\2C\u00d4\3\2\2\2E\u00d6\3\2\2\2G\u00d8\3"+
+    "\2\2\2I\u00da\3\2\2\2K\u00dc\3\2\2\2M\u0127\3\2\2\2O\u012a\3\2\2\2Q\u0158"+
+    "\3\2\2\2S\u015c\3\2\2\2U\u0166\3\2\2\2W\u016f\3\2\2\2Y\u0171\3\2\2\2["+
+    "\u0173\3\2\2\2]\u0184\3\2\2\2_\u0194\3\2\2\2ab\7c\2\2bc\7p\2\2cd\7f\2"+
+    "\2d\4\3\2\2\2ef\7c\2\2fg\7p\2\2gh\7{\2\2h\6\3\2\2\2ij\7d\2\2jk\7{\2\2"+
+    "k\b\3\2\2\2lm\7h\2\2mn\7c\2\2no\7n\2\2op\7u\2\2pq\7g\2\2q\n\3\2\2\2rs"+
+    "\7k\2\2st\7p\2\2t\f\3\2\2\2uv\7l\2\2vw\7q\2\2wx\7k\2\2xy\7p\2\2y\16\3"+
+    "\2\2\2z{\7o\2\2{|\7c\2\2|}\7z\2\2}~\7u\2\2~\177\7r\2\2\177\u0080\7c\2"+
+    "\2\u0080\u0081\7p\2\2\u0081\20\3\2\2\2\u0082\u0083\7p\2\2\u0083\u0084"+
+    "\7q\2\2\u0084\u0085\7v\2\2\u0085\22\3\2\2\2\u0086\u0087\7p\2\2\u0087\u0088"+
+    "\7w\2\2\u0088\u0089\7n\2\2\u0089\u008a\7n\2\2\u008a\24\3\2\2\2\u008b\u008c"+
+    "\7q\2\2\u008c\u008d\7h\2\2\u008d\26\3\2\2\2\u008e\u008f\7q\2\2\u008f\u0090"+
+    "\7t\2\2\u0090\30\3\2\2\2\u0091\u0092\7u\2\2\u0092\u0093\7g\2\2\u0093\u0094"+
+    "\7s\2\2\u0094\u0095\7w\2\2\u0095\u0096\7g\2\2\u0096\u0097\7p\2\2\u0097"+
+    "\u0098\7e\2\2\u0098\u0099\7g\2\2\u0099\32\3\2\2\2\u009a\u009b\7v\2\2\u009b"+
+    "\u009c\7t\2\2\u009c\u009d\7w\2\2\u009d\u009e\7g\2\2\u009e\34\3\2\2\2\u009f"+
+    "\u00a0\7w\2\2\u00a0\u00a1\7p\2\2\u00a1\u00a2\7v\2\2\u00a2\u00a3\7k\2\2"+
+    "\u00a3\u00a4\7n\2\2\u00a4\36\3\2\2\2\u00a5\u00a6\7y\2\2\u00a6\u00a7\7"+
+    "j\2\2\u00a7\u00a8\7g\2\2\u00a8\u00a9\7t\2\2\u00a9\u00aa\7g\2\2\u00aa "+
+    "\3\2\2\2\u00ab\u00ac\7y\2\2\u00ac\u00ad\7k\2\2\u00ad\u00ae\7v\2\2\u00ae"+
+    "\u00af\7j\2\2\u00af\"\3\2\2\2\u00b0\u00b1\7<\2\2\u00b1$\3\2\2\2\u00b2"+
+    "\u00b3\7?\2\2\u00b3&\3\2\2\2\u00b4\u00b5\7?\2\2\u00b5\u00b6\7?\2\2\u00b6"+
+    "(\3\2\2\2\u00b7\u00b8\7#\2\2\u00b8\u00b9\7?\2\2\u00b9*\3\2\2\2\u00ba\u00bb"+
+    "\7>\2\2\u00bb,\3\2\2\2\u00bc\u00bd\7>\2\2\u00bd\u00be\7?\2\2\u00be.\3"+
+    "\2\2\2\u00bf\u00c0\7@\2\2\u00c0\60\3\2\2\2\u00c1\u00c2\7@\2\2\u00c2\u00c3"+
+    "\7?\2\2\u00c3\62\3\2\2\2\u00c4\u00c5\7-\2\2\u00c5\64\3\2\2\2\u00c6\u00c7"+
+    "\7/\2\2\u00c7\66\3\2\2\2\u00c8\u00c9\7,\2\2\u00c98\3\2\2\2\u00ca\u00cb"+
+    "\7\61\2\2\u00cb:\3\2\2\2\u00cc\u00cd\7\'\2\2\u00cd<\3\2\2\2\u00ce\u00cf"+
+    "\7\60\2\2\u00cf>\3\2\2\2\u00d0\u00d1\7.\2\2\u00d1@\3\2\2\2\u00d2\u00d3"+
+    "\7]\2\2\u00d3B\3\2\2\2\u00d4\u00d5\7_\2\2\u00d5D\3\2\2\2\u00d6\u00d7\7"+
+    "*\2\2\u00d7F\3\2\2\2\u00d8\u00d9\7+\2\2\u00d9H\3\2\2\2\u00da\u00db\7~"+
+    "\2\2\u00dbJ\3\2\2\2\u00dc\u00e2\7b\2\2\u00dd\u00e1\n\2\2\2\u00de\u00df"+
+    "\7b\2\2\u00df\u00e1\7b\2\2\u00e0\u00dd\3\2\2\2\u00e0\u00de\3\2\2\2\u00e1"+
+    "\u00e4\3\2\2\2\u00e2\u00e0\3\2\2\2\u00e2\u00e3\3\2\2\2\u00e3\u00e5\3\2"+
+    "\2\2\u00e4\u00e2\3\2\2\2\u00e5\u00e6\7b\2\2\u00e6L\3\2\2\2\u00e7\u00ed"+
+    "\7)\2\2\u00e8\u00e9\7^\2\2\u00e9\u00ec\t\3\2\2\u00ea\u00ec\n\4\2\2\u00eb"+
+    "\u00e8\3\2\2\2\u00eb\u00ea\3\2\2\2\u00ec\u00ef\3\2\2\2\u00ed\u00eb\3\2"+
+    "\2\2\u00ed\u00ee\3\2\2\2\u00ee\u00f0\3\2\2\2\u00ef\u00ed\3\2\2\2\u00f0"+
+    "\u0128\7)\2\2\u00f1\u00f7\7$\2\2\u00f2\u00f3\7^\2\2\u00f3\u00f6\t\3\2"+
+    "\2\u00f4\u00f6\n\5\2\2\u00f5\u00f2\3\2\2\2\u00f5\u00f4\3\2\2\2\u00f6\u00f9"+
+    "\3\2\2\2\u00f7\u00f5\3\2\2\2\u00f7\u00f8\3\2\2\2\u00f8\u00fa\3\2\2\2\u00f9"+
+    "\u00f7\3\2\2\2\u00fa\u0128\7$\2\2\u00fb\u00fc\7A\2\2\u00fc\u00fd\7$\2"+
+    "\2\u00fd\u0103\3\2\2\2\u00fe\u00ff\7^\2\2\u00ff\u0102\7$\2\2\u0100\u0102"+
+    "\n\6\2\2\u0101\u00fe\3\2\2\2\u0101\u0100\3\2\2\2\u0102\u0105\3\2\2\2\u0103"+
+    "\u0101\3\2\2\2\u0103\u0104\3\2\2\2\u0104\u0106\3\2\2\2\u0105\u0103\3\2"+
+    "\2\2\u0106\u0128\7$\2\2\u0107\u0108\7A\2\2\u0108\u0109\7)\2\2\u0109\u010f"+
+    "\3\2\2\2\u010a\u010b\7^\2\2\u010b\u010e\7)\2\2\u010c\u010e\n\7\2\2\u010d"+
+    "\u010a\3\2\2\2\u010d\u010c\3\2\2\2\u010e\u0111\3\2\2\2\u010f\u010d\3\2"+
+    "\2\2\u010f\u0110\3\2\2\2\u0110\u0112\3\2\2\2\u0111\u010f\3\2\2\2\u0112"+
+    "\u0128\7)\2\2\u0113\u0114\7$\2\2\u0114\u0115\7$\2\2\u0115\u0116\7$\2\2"+
+    "\u0116\u011a\3\2\2\2\u0117\u0119\n\b\2\2\u0118\u0117\3\2\2\2\u0119\u011c"+
+    "\3\2\2\2\u011a\u011b\3\2\2\2\u011a\u0118\3\2\2\2\u011b\u011d\3\2\2\2\u011c"+
+    "\u011a\3\2\2\2\u011d\u011e\7$\2\2\u011e\u011f\7$\2\2\u011f\u0120\7$\2"+
+    "\2\u0120\u0122\3\2\2\2\u0121\u0123\7$\2\2\u0122\u0121\3\2\2\2\u0122\u0123"+
+    "\3\2\2\2\u0123\u0125\3\2\2\2\u0124\u0126\7$\2\2\u0125\u0124\3\2\2\2\u0125"+
+    "\u0126\3\2\2\2\u0126\u0128\3\2\2\2\u0127\u00e7\3\2\2\2\u0127\u00f1\3\2"+
+    "\2\2\u0127\u00fb\3\2\2\2\u0127\u0107\3\2\2\2\u0127\u0113\3\2\2\2\u0128"+
+    "N\3\2\2\2\u0129\u012b\5W,\2\u012a\u0129\3\2\2\2\u012b\u012c\3\2\2\2\u012c"+
+    "\u012a\3\2\2\2\u012c\u012d\3\2\2\2\u012dP\3\2\2\2\u012e\u0130\5W,\2\u012f"+
+    "\u012e\3\2\2\2\u0130\u0131\3\2\2\2\u0131\u012f\3\2\2\2\u0131\u0132\3\2"+
+    "\2\2\u0132\u0133\3\2\2\2\u0133\u0137\5=\37\2\u0134\u0136\5W,\2\u0135\u0134"+
+    "\3\2\2\2\u0136\u0139\3\2\2\2\u0137\u0135\3\2\2\2\u0137\u0138\3\2\2\2\u0138"+
+    "\u0159\3\2\2\2\u0139\u0137\3\2\2\2\u013a\u013c\5=\37\2\u013b\u013d\5W"+
+    ",\2\u013c\u013b\3\2\2\2\u013d\u013e\3\2\2\2\u013e\u013c\3\2\2\2\u013e"+
+    "\u013f\3\2\2\2\u013f\u0159\3\2\2\2\u0140\u0142\5W,\2\u0141\u0140\3\2\2"+
+    "\2\u0142\u0143\3\2\2\2\u0143\u0141\3\2\2\2\u0143\u0144\3\2\2\2\u0144\u014c"+
+    "\3\2\2\2\u0145\u0149\5=\37\2\u0146\u0148\5W,\2\u0147\u0146\3\2\2\2\u0148"+
+    "\u014b\3\2\2\2\u0149\u0147\3\2\2\2\u0149\u014a\3\2\2\2\u014a\u014d\3\2"+
+    "\2\2\u014b\u0149\3\2\2\2\u014c\u0145\3\2\2\2\u014c\u014d\3\2\2\2\u014d"+
+    "\u014e\3\2\2\2\u014e\u014f\5U+\2\u014f\u0159\3\2\2\2\u0150\u0152\5=\37"+
+    "\2\u0151\u0153\5W,\2\u0152\u0151\3\2\2\2\u0153\u0154\3\2\2\2\u0154\u0152"+
+    "\3\2\2\2\u0154\u0155\3\2\2\2\u0155\u0156\3\2\2\2\u0156\u0157\5U+\2\u0157"+
+    "\u0159\3\2\2\2\u0158\u012f\3\2\2\2\u0158\u013a\3\2\2\2\u0158\u0141\3\2"+
+    "\2\2\u0158\u0150\3\2\2\2\u0159R\3\2\2\2\u015a\u015d\5Y-\2\u015b\u015d"+
+    "\t\t\2\2\u015c\u015a\3\2\2\2\u015c\u015b\3\2\2\2\u015d\u0163\3\2\2\2\u015e"+
+    "\u0162\5Y-\2\u015f\u0162\5W,\2\u0160\u0162\7a\2\2\u0161\u015e\3\2\2\2"+
+    "\u0161\u015f\3\2\2\2\u0161\u0160\3\2\2\2\u0162\u0165\3\2\2\2\u0163\u0161"+
+    "\3\2\2\2\u0163\u0164\3\2\2\2\u0164T\3\2\2\2\u0165\u0163\3\2\2\2\u0166"+
+    "\u0168\t\n\2\2\u0167\u0169\t\13\2\2\u0168\u0167\3\2\2\2\u0168\u0169\3"+
+    "\2\2\2\u0169\u016b\3\2\2\2\u016a\u016c\5W,\2\u016b\u016a\3\2\2\2\u016c"+
+    "\u016d\3\2\2\2\u016d\u016b\3\2\2\2\u016d\u016e\3\2\2\2\u016eV\3\2\2\2"+
+    "\u016f\u0170\t\f\2\2\u0170X\3\2\2\2\u0171\u0172\t\r\2\2\u0172Z\3\2\2\2"+
+    "\u0173\u0174\7\61\2\2\u0174\u0175\7\61\2\2\u0175\u0179\3\2\2\2\u0176\u0178"+
+    "\n\b\2\2\u0177\u0176\3\2\2\2\u0178\u017b\3\2\2\2\u0179\u0177\3\2\2\2\u0179"+
+    "\u017a\3\2\2\2\u017a\u017d\3\2\2\2\u017b\u0179\3\2\2\2\u017c\u017e\7\17"+
+    "\2\2\u017d\u017c\3\2\2\2\u017d\u017e\3\2\2\2\u017e\u0180\3\2\2\2\u017f"+
+    "\u0181\7\f\2\2\u0180\u017f\3\2\2\2\u0180\u0181\3\2\2\2\u0181\u0182\3\2"+
+    "\2\2\u0182\u0183\b.\2\2\u0183\\\3\2\2\2\u0184\u0185\7\61\2\2\u0185\u0186"+
+    "\7,\2\2\u0186\u018b\3\2\2\2\u0187\u018a\5]/\2\u0188\u018a\13\2\2\2\u0189"+
+    "\u0187\3\2\2\2\u0189\u0188\3\2\2\2\u018a\u018d\3\2\2\2\u018b\u018c\3\2"+
+    "\2\2\u018b\u0189\3\2\2\2\u018c\u018e\3\2\2\2\u018d\u018b\3\2\2\2\u018e"+
+    "\u018f\7,\2\2\u018f\u0190\7\61\2\2\u0190\u0191\3\2\2\2\u0191\u0192\b/"+
+    "\2\2\u0192^\3\2\2\2\u0193\u0195\t\16\2\2\u0194\u0193\3\2\2\2\u0195\u0196"+
+    "\3\2\2\2\u0196\u0194\3\2\2\2\u0196\u0197\3\2\2\2\u0197\u0198\3\2\2\2\u0198"+
+    "\u0199\b\60\2\2\u0199`\3\2\2\2%\2\u00e0\u00e2\u00eb\u00ed\u00f5\u00f7"+
+    "\u0101\u0103\u010d\u010f\u011a\u0122\u0125\u0127\u012c\u0131\u0137\u013e"+
+    "\u0143\u0149\u014c\u0154\u0158\u015c\u0161\u0163\u0168\u016d\u0179\u017d"+
+    "\u0180\u0189\u018b\u0196\3\2\3\2";
   public static final ATN _ATN =
     new ATNDeserializer().deserialize(_serializedATN.toCharArray());
   static {

x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/ExpressionTests.java

@@ -66,14 +66,24 @@ public class ExpressionTests extends ESTestCase {
         assertEquals("hello\\\nworld", unquoteString(source("\"hello\\\\\\nworld\"")));
         assertEquals("hello\\\"world", unquoteString(source("\"hello\\\\\\\"world\"")));
 
-        // test for unescaped strings: ?"...."
-        assertEquals("hello\"world", unquoteString(source("?\"hello\"world\"")));
-        assertEquals("hello\\\"world", unquoteString(source("?\"hello\\\"world\"")));
-        assertEquals("hello'world", unquoteString(source("?\"hello'world\"")));
-        assertEquals("hello\\nworld", unquoteString(source("?\"hello\\nworld\"")));
-        assertEquals("hello\\\\nworld", unquoteString(source("?\"hello\\\\nworld\"")));
-        assertEquals("hello\\\\\\nworld", unquoteString(source("?\"hello\\\\\\nworld\"")));
-        assertEquals("hello\\\\\\\"world", unquoteString(source("?\"hello\\\\\\\"world\"")));
+        // test for unescaped strings: """...."""
+        assertEquals("hello\"world", unquoteString(source("\"\"\"hello\"world\"\"\"")));
+        assertEquals("hello\\\"world", unquoteString(source("\"\"\"hello\\\"world\"\"\"")));
+        assertEquals("\"\"hello\"\\\"world\"\"\"", unquoteString(source("\"\"\"\"\"hello\"\\\"world\"\"\"\"\"\"")));
+        assertEquals("hello'world", unquoteString(source("\"\"\"hello'world\"\"\"")));
+        assertEquals("hello'world", unquoteString(source("\"\"\"hello\'world\"\"\"")));
+        assertEquals("hello\\'world", unquoteString(source("\"\"\"hello\\\'world\"\"\"")));
+        assertEquals("hello\\nworld", unquoteString(source("\"\"\"hello\\nworld\"\"\"")));
+        assertEquals("hello\\\\nworld", unquoteString(source("\"\"\"hello\\\\nworld\"\"\"")));
+        assertEquals("hello\\\\\\nworld", unquoteString(source("\"\"\"hello\\\\\\nworld\"\"\"")));
+        assertEquals("hello\\\\\\\"world", unquoteString(source("\"\"\"hello\\\\\\\"world\"\"\"")));
+        assertEquals("\"\\\"", unquoteString(source("\"\"\"\"\\\"\"\"\"")));
+        assertEquals("\\\"\"\"", unquoteString(source("\"\"\"\\\"\"\"\"\"\"")));
+        assertEquals("\"\\\"\"", unquoteString(source("\"\"\"\"\\\"\"\"\"\"")));
+        assertEquals("\"\"\\\"", unquoteString(source("\"\"\"\"\"\\\"\"\"\"")));
+        assertEquals("\"\"", unquoteString(source("\"\"\"\"\"\"\"\"")));
+        assertEquals("\"\" \"\"", unquoteString(source("\"\"\"\"\" \"\"\"\"\"")));
+        assertEquals("", unquoteString(source("\"\"\"\"\"\"")));
     }
 
     public void testLiterals() {
@@ -100,18 +110,80 @@ public class ExpressionTests extends ESTestCase {
 
     public void testSingleQuotedUnescapedStringDisallowed() {
         ParsingException e = expectThrows(ParsingException.class, () -> expr("?'hello world'"));
-        assertEquals("line 1:2: Use double quotes [\"] to define string literals, not single quotes [']",
+        assertEquals("line 1:2: Use triple double quotes [\"\"\"] to define unescaped string literals, not [?']",
                 e.getMessage());
-        e = expectThrows(ParsingException.class, () -> parser.createStatement("process where name==?'hello world'"));
-        assertEquals("line 1:22: Use double quotes [\"] to define string literals, not single quotes [']",
+        e = expectThrows(ParsingException.class, () -> parser.createStatement("process where name == ?'hello world'"));
+        assertEquals("line 1:24: Use triple double quotes [\"\"\"] to define unescaped string literals, not [?']",
                 e.getMessage());
     }
 
-    public void testDoubleQuotedUnescapedString() {
-        // "hello \" world"
-        Expression parsed = expr("?\"hello \\\" world!\"");
-        Expression expected = new Literal(null, "hello \\\" world!", DataTypes.KEYWORD);
-        assertEquals(expected, parsed);
+    public void testDoubleQuotedUnescapedStringForbidden() {
+        ParsingException e = expectThrows(ParsingException.class, () -> expr("?\"hello world\""));
+        assertEquals("line 1:2: Use triple double quotes [\"\"\"] to define unescaped string literals, not [?\"]",
+                e.getMessage());
+        e = expectThrows(ParsingException.class, () -> parser.createStatement("process where name == ?\"hello world\""));
+        assertEquals("line 1:24: Use triple double quotes [\"\"\"] to define unescaped string literals, not [?\"]",
+                e.getMessage());
+    }
+
+    public void testTripleDoubleQuotedUnescapedString() {
+        // """hello world!"""" == """foobar""" => hello world! = foobar
+        String str = "\"\"\"hello world!\"\"\" == \"\"\"foobar\"\"\"";
+        String expectedStrLeft = "hello world!";
+        String expectedStrRight = "foobar";
+        Expression parsed = expr(str);
+        assertEquals(Equals.class, parsed.getClass());
+        Equals eq = (Equals) parsed;
+        assertEquals(Literal.class, eq.left().getClass());
+        assertEquals(expectedStrLeft, ((Literal) eq.left()).value());
+        assertEquals(Literal.class, eq.right().getClass());
+        assertEquals(expectedStrRight, ((Literal) eq.right()).value());
+
+        // """""hello""world!"""" == """"foo"bar""""" => ""hello""world!" = "foo""bar""
+        str = " \"\"\"\"\"hello\"\"world!\"\"\"\" == \"\"\"\"foo\"bar\"\"\"\"\" ";
+        expectedStrLeft = "\"\"hello\"\"world!\"";
+        expectedStrRight = "\"foo\"bar\"\"";
+        parsed = expr(str);
+        assertEquals(Equals.class, parsed.getClass());
+        eq = (Equals) parsed;
+        assertEquals(Literal.class, eq.left().getClass());
+        assertEquals(expectedStrLeft, ((Literal) eq.left()).value());
+        assertEquals(Literal.class, eq.right().getClass());
+        assertEquals(expectedStrRight, ((Literal) eq.right()).value());
+
+        // """""\""hello\\""\""world!\\""""" == """\\""\""foo""\\""\"bar""\\""\"""" =>
+        // ""\""hello\\""\""world!\\"" == \\""\""foo""\\""\"bar""\\""\"
+        str = " \"\"\"\"\"\\\"\"hello\\\\\"\"\\\"\"world!\\\\\"\"\"\"\"  ==  " +
+                " \"\"\"\\\\\"\"\\\"\"foo\"\"\\\\\"\"\\\"bar\"\"\\\\\"\"\\\"\"\"\"  ";
+        expectedStrLeft = "\"\"\\\"\"hello\\\\\"\"\\\"\"world!\\\\\"\"";
+        expectedStrRight = "\\\\\"\"\\\"\"foo\"\"\\\\\"\"\\\"bar\"\"\\\\\"\"\\\"";
+        parsed = expr(str);
+        assertEquals(Equals.class, parsed.getClass());
+        eq = (Equals) parsed;
+        assertEquals(Literal.class, eq.left().getClass());
+        assertEquals(expectedStrLeft, ((Literal) eq.left()).value());
+        assertEquals(Literal.class, eq.right().getClass());
+        assertEquals(expectedStrRight, ((Literal) eq.right()).value());
+
+        // """"""hello world!""" == """foobar"""
+        ParsingException e = expectThrows(ParsingException.class, "Expected syntax error",
+                () -> expr("\"\"\"\"\"\"hello world!\"\"\" == \"\"\"foobar\"\"\""));
+        assertThat(e.getMessage(), startsWith("line 1:7: mismatched input 'hello' expecting {<EOF>,"));
+
+        // """""\"hello world!"""""" == """foobar"""
+        e = expectThrows(ParsingException.class, "Expected syntax error",
+                () -> expr("\"\"\"\"\"\\\"hello world!\"\"\"\"\"\" == \"\"\"foobar\"\"\""));
+        assertThat(e.getMessage(), startsWith("line 1:25: mismatched input '\" == \"' expecting {<EOF>,"));
+
+        // """""\"hello world!""\"""" == """"""foobar"""
+        e = expectThrows(ParsingException.class, "Expected syntax error",
+                () -> expr("\"\"\"\"\"\\\"hello world!\"\"\\\"\"\"\" == \"\"\"\"\"\"foobar\"\"\""));
+        assertThat(e.getMessage(), startsWith("line 1:37: mismatched input 'foobar' expecting {<EOF>,"));
+
+        // """""\"hello world!""\"""" == """""\"foobar\"\""""""
+        e = expectThrows(ParsingException.class, "Expected syntax error",
+                () -> expr("\"\"\"\"\"\\\"hello world!\"\"\\\"\"\"\" == \"\"\"\"\"\\\"foobar\\\"\\\"\"\"\"\"\""));
+        assertEquals("line 1:52: token recognition error at: '\"'", e.getMessage());
     }
 
     public void testNumbers() {

x-pack/plugin/eql/src/test/resources/queries-supported.eql

@@ -178,19 +178,19 @@ process where command_line : "*%*%*" ;
 process where command_line : "%*%*" ;
 
 
-process where match(?".*?net1\s+localgroup\s+.*?", command_line)
+process where match(""".*?net1\s+localgroup\s+.*?""", command_line)
 ;
 
-process where match(?".*?net1\s+\w+\s+.*?", command_line)
+process where match(""".*?net1\s+\w+\s+.*?""", command_line)
 ;
 
-process where match(?".*?net1\s+\w{4,15}\s+.*?", command_line)
+process where match(""".*?net1\s+\w{4,15}\s+.*?""", command_line)
 ;
 
-process where match(?".*?net1\s+\w{4,15}\s+.*?", command_line)
+process where match(""".*?net1\s+\w{4,15}\s+.*?""", command_line)
 ;
 
-process where match(?".*?net1\s+[localgrup]{4,15}\s+.*?", command_line)
+process where match(""".*?net1\s+[localgrup]{4,15}\s+.*?""", command_line)
 ;
 
 file where opcode:0 and startsWith(file_name, "exploRER.")