The EQL plugin needs to transpile EQL expressions which do not require state into ES Search DSL.

The expressions that need to be transpiled to ES Search DSL are those of the form event_type WHERE criteria. Pipes are not in scope for this issues and will be addressed later. Additionally sequence and join expressions will not be able to be converted to ES Search DSL since they require special processing by the EQL plugin. However, the elements of the sequence or join can be transpiled to ES Search DSL.

Example

Given the following EQL expression:

process where process name = "evil.exe" 

We would generate a ES Search request similar to the following (for illustrative purposes, the actual request may be different):

GET index/_search { size: 1000, query: { bool: { must: [ { match: { event.type: process } }, { match: { process_name: evil.exe } } ] } }, sort: [{ pid: asc }, { timestamp: asc }, { _seq_no: asc}] }