From e7ab7c82a723e8c683902b430e15b9daa28a82e3 Mon Sep 17 00:00:00 2001
From: James Rodewig <40268737+jrodewig@users.noreply.github.com>
Date: Mon, 11 Oct 2021 10:40:10 -0400
Subject: [PATCH] [DOCS] Update `runs` syntax (#78922)

Updates the EQL syntax docs for PR #78895.
---
 docs/reference/eql/syntax.asciidoc | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/docs/reference/eql/syntax.asciidoc b/docs/reference/eql/syntax.asciidoc
index 2d1b57fab7de4..69025076e084f 100644
--- a/docs/reference/eql/syntax.asciidoc
+++ b/docs/reference/eql/syntax.asciidoc
@@ -695,17 +695,17 @@ until [ process where event.type == "stop" ]
 ====
 
 [discrete]
-[[eql-runs-keyword]]
-=== `runs` keyword
+[[eql-with-runs-statement]]
+=== `with runs` statement
 
-Use a `runs` statement to run the same event criteria successively within a
+Use a `with runs` statement to run the same event criteria successively within a
 sequence query. For example:
 
 [source,eql]
 ----
 sequence
   [ process where event.type == "creation" ]
-  [ library where process.name == "regsvr32.exe" ] [runs=3]
+  [ library where process.name == "regsvr32.exe" ] with runs=3
   [ registry where true ]
 ----
 
@@ -721,17 +721,16 @@ sequence
   [ registry where true ]
 ----
 
-A `runs` statement must be enclosed in square brackets (`[ ]`). The `runs` value
-must be between `1` and `100` (inclusive).
+The `runs` value must be between `1` and `100` (inclusive).
  
-You can use a `runs` statement with the <<eql-by-keyword,`by` keyword>>. For
-example:
+You can use a `with runs` statement with the <<eql-by-keyword,`by` keyword>>.
+For example:
 
 [source,eql]
 ----
 sequence
   [ process where event.type == "creation" ] by process.executable
-  [ library where process.name == "regsvr32.exe" ] by dll.path [runs=3]
+  [ library where process.name == "regsvr32.exe" ] by dll.path with runs=3
 ----
 
 [discrete]