EQL: Introduce like and regex keywords (#68791)

Built-in language support for wildcard and regex queries.
Both the case sensitive and insensitive queries are allowed:

field like "pattern*" // basic matching
field like~ "P?tTeRn*" // case-insensitive
field like ("a*", "b?", "cd" ) // multi argument
field like~ ("A", "B?", "C*d") // case-insensitive multi arg

field regex "[a-z]" // basic form
field regex~ "[A-z]" // case-insensitive
field regex ("[aA]a", "[Bb]b") // multi argument
field regex~ ("aA", "bB") // case-insensitive multi arg

Fix #68639

Author: costin

x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml

@@ -131,46 +131,6 @@ name = "numberStringConversion5"
 query = 'any where number(string(serial_event_id), 16) == 17'
 expected_event_ids = [11]
 
-# [[queries]]
-# name = "matchWithCharacterClasses1"
-# expected_event_ids  = [98]
-# notes = "regexp doesn't support character classes"
-# query = '''
-# //
-# //                                """.*?net1\s+localgroup.*?""")
-# process where match(command_line, """.*?net1[ ]+localgroup.*?""")
-# '''
-#
-# [[queries]]
-# name = "matchLiteAdditional"
-# expected_event_ids  = [98]
-# query = '''
-# process where matchLite(command_line, """.*?net1.*?""")
-# '''
-#
-# [[queries]]
-# name = "matchWithCharacterClasses2"
-# expected_event_ids  = [98]
-# notes = "regexp doesn't support predefined character classes (like \\s)"
-# query = '''
-# //                                """.*?net1\s+\w{4,15}\s+.*?"""
-# process where match(command_line, """.*?net1[ ]+[a-z]{4,15}[ ]+.*?""")
-# '''
-#
-# [[queries]]
-# name = "multiPatternMatch"
-# expected_event_ids  = [50, 97, 98]
-# query = '''
-# process where match(command_line, ".*?net[1]?  localgroup.*?", ".*? myappserver.py .*?")
-# '''
-#
-# [[queries]]
-# name = "matchWithSubstring"
-# expected_event_ids  = [50, 98]
-# query = '''
-# process where match(substring(command_line, 5), ".*?net[1]?  localgroup.*?", ".*? myappserver.py .*?")
-# '''
-
 [[queries]]
 name = "moduloEqualsField"
 # Basic test for modulo function
@@ -355,3 +315,116 @@ query = '''
 file where file_name in~ ("winini*.exe", "lsass.e?e") and opcode == 2
 '''
 expected_event_ids  = []
+
+[[queries]]
+name = "likeWithScript"
+query = 'process where string(serial_event_id) like "1"'
+expected_event_ids  = [1]
+
+[[queries]]
+name = "likeScriptWithPattern"
+query = 'process where string(serial_event_id) like ("1*")'
+expected_event_ids  = [1, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19]
+
+[[queries]]
+name = "likeScriptWithQuestionPattern"
+query = 'process where string(serial_event_id) like ("1?")'
+expected_event_ids  = [10, 11, 12, 13, 14, 15, 16, 17, 18, 19]
+
+[[queries]]
+name = "likeMultipleArgs"
+query = '''
+file where file_name like ("wininit.exe", "lsass.exe") and opcode == 2
+'''
+expected_event_ids  = [65, 86]
+
+[[queries]]
+name = "likeMultipleArgsInsensitive"
+query = '''
+file where file_name like~ ("winInIT.exe", "lsASS.exe") and opcode == 2
+'''
+expected_event_ids  = [65, 86]
+
+[[queries]]
+name = "likeMultipleArgWithPattern"
+query = '''
+file where file_name like ("winini*.exe", "lsass.*") and opcode == 2
+'''
+expected_event_ids  = [65, 86]
+
+[[queries]]
+name = "likeMultipleArgWithPatternInsensitive"
+query = '''
+file where file_name like~ ("winIni*.exe", "lSaSs.*") and opcode == 2
+'''
+expected_event_ids  = [65, 86]
+
+[[queries]]
+name = "likeMultipleArgsWildcardPatternQuestionMark"
+query = '''
+file where file_name like ("winini?.exe", "lsass.e?e") and opcode == 2
+'''
+expected_event_ids  = [65, 86]
+
+[[queries]]
+name = "likeMultipleArgsWildcardPatternQuestionMarkInsensitive"
+query = '''
+file where file_name like~ ("winINI?.exE", "lSasS.E?E") and opcode == 2
+'''
+expected_event_ids  = [65, 86]
+
+[[queries]]
+name = "regexWOCharClasses"
+expected_event_ids  = [98]
+notes = "regexp doesn't support character classes"
+query = '''
+//
+//                                """.*?net1\s+localgroup.*?""")
+process where command_line regex """.*?net1[ ]+localgroup.*?"""
+'''
+
+[[queries]]
+name = "regexWOCharClasses-Insensitive"
+expected_event_ids  = [98]
+notes = "regexp doesn't support character classes"
+query = '''
+process where command_line regex~ """.*?net1[ ]+localgroup.*?"""
+'''
+
+[[queries]]
+name = "simpleRegex"
+expected_event_ids  = [98]
+query = '''
+process where command_line regex """.*?net1.*?"""
+'''
+
+[[queries]]
+name = "simpleRegexInsensitive"
+expected_event_ids  = [98]
+query = '''
+process where command_line regex~ """.*?net1.*?"""
+'''
+
+[[queries]]
+name = "regexWithCharacterClasses2"
+expected_event_ids  = [98]
+notes = "regexp doesn't support predefined character classes (like \\s)"
+query = '''
+//                                """.*?net1\s+\w{4,15}\s+.*?"""
+process where command_line regex  (""".*?net1[ ]+[a-z]{4,15}[ ]+.*?""")
+'''
+
+[[queries]]
+name = "regexMultiPatternMatch"
+expected_event_ids  = [50, 97, 98]
+query = '''
+process where command_line regex (".*?net[1]?  localgroup.*?", ".*? myappserver.py .*?")
+'''
+
+[[queries]]
+name = "regexWithSubstring"
+expected_event_ids  = [50, 98]
+query = '''
+process where substring(command_line, 5) regex (".*?net[1]?  localgroup.*?", ".*? myappserver.py .*?")
+'''
+

x-pack/plugin/eql/src/main/antlr/EqlBase.g4

@@ -101,8 +101,8 @@ operatorExpression
 //   https://github.com/antlr/antlr4/issues/781
 predicate
     : NOT? kind=(IN | IN_INSENSITIVE) LP expression (COMMA expression)* RP
-    | kind=SEQ constant
-    | kind=SEQ LP constant (COMMA constant)* RP
+    | kind=(SEQ | LIKE | LIKE_INSENSITIVE | REGEX | REGEX_INSENSITIVE) constant
+    | kind=(SEQ | LIKE | LIKE_INSENSITIVE | REGEX | REGEX_INSENSITIVE) LP constant (COMMA constant)* RP
     ;
 
 primaryExpression
@@ -165,11 +165,15 @@ FALSE: 'false';
 IN: 'in';
 IN_INSENSITIVE : 'in~';
 JOIN: 'join';
+LIKE: 'like';
+LIKE_INSENSITIVE: 'like~';
 MAXSPAN: 'maxspan';
 NOT: 'not';
 NULL: 'null';
 OF: 'of';
 OR: 'or';
+REGEX: 'regex';
+REGEX_INSENSITIVE: 'regex~';
 SEQUENCE: 'sequence';
 TRUE: 'true';
 UNTIL: 'until';

x-pack/plugin/eql/src/main/antlr/EqlBase.tokens

@@ -5,79 +5,87 @@ FALSE=4
 IN=5
 IN_INSENSITIVE=6
 JOIN=7
-MAXSPAN=8
-NOT=9
-NULL=10
-OF=11
-OR=12
-SEQUENCE=13
-TRUE=14
-UNTIL=15
-WHERE=16
-WITH=17
-SEQ=18
-ASGN=19
-EQ=20
-NEQ=21
-LT=22
-LTE=23
-GT=24
-GTE=25
-PLUS=26
-MINUS=27
-ASTERISK=28
-SLASH=29
-PERCENT=30
-DOT=31
-COMMA=32
-LB=33
-RB=34
-LP=35
-RP=36
-PIPE=37
-STRING=38
-INTEGER_VALUE=39
-DECIMAL_VALUE=40
-IDENTIFIER=41
-QUOTED_IDENTIFIER=42
-TILDE_IDENTIFIER=43
-LINE_COMMENT=44
-BRACKETED_COMMENT=45
-WS=46
+LIKE=8
+LIKE_INSENSITIVE=9
+MAXSPAN=10
+NOT=11
+NULL=12
+OF=13
+OR=14
+REGEX=15
+REGEX_INSENSITIVE=16
+SEQUENCE=17
+TRUE=18
+UNTIL=19
+WHERE=20
+WITH=21
+SEQ=22
+ASGN=23
+EQ=24
+NEQ=25
+LT=26
+LTE=27
+GT=28
+GTE=29
+PLUS=30
+MINUS=31
+ASTERISK=32
+SLASH=33
+PERCENT=34
+DOT=35
+COMMA=36
+LB=37
+RB=38
+LP=39
+RP=40
+PIPE=41
+STRING=42
+INTEGER_VALUE=43
+DECIMAL_VALUE=44
+IDENTIFIER=45
+QUOTED_IDENTIFIER=46
+TILDE_IDENTIFIER=47
+LINE_COMMENT=48
+BRACKETED_COMMENT=49
+WS=50
 'and'=1
 'any'=2
 'by'=3
 'false'=4
 'in'=5
 'in~'=6
 'join'=7
-'maxspan'=8
-'not'=9
-'null'=10
-'of'=11
-'or'=12
-'sequence'=13
-'true'=14
-'until'=15
-'where'=16
-'with'=17
-':'=18
-'='=19
-'=='=20
-'!='=21
-'<'=22
-'<='=23
-'>'=24
-'>='=25
-'+'=26
-'-'=27
-'*'=28
-'/'=29
-'%'=30
-'.'=31
-','=32
-'['=33
-']'=34
-'('=35
-')'=36
-'|'=37
+'like'=8
+'like~'=9
+'maxspan'=10
+'not'=11
+'null'=12
+'of'=13
+'or'=14
+'regex'=15
+'regex~'=16
+'sequence'=17
+'true'=18
+'until'=19
+'where'=20
+'with'=21
+':'=22
+'='=23
+'=='=24
+'!='=25
+'<'=26
+'<='=27
+'>'=28
+'>='=29
+'+'=30
+'-'=31
+'*'=32
+'/'=33
+'%'=34
+'.'=35
+','=36
+'['=37
+']'=38
+'('=39
+')'=40
+'|'=41