EQL: Introduce repeatable queries

[costin]

Allow individual queries within a sequence to be repeated through a
dedicated keyword without having physical duplication.

sequence
queryA [runs=2]
queryB
queryC [runs=3]
queryD

is the same as:

sequence
queryA
queryA
queryB
queryC
queryC
queryC
queryD

but more concise.

[astefan]

Looks great.
Some unit tests need to be added for the new exceptions. And the scenarios where multiple repeats are used in the same sequence need clarification.

[astefan]

How about the following scenario?

[file where opcode == 0] by unique_pid, process_path repeat=2
[file where opcode == 0] by unique_pid, process_path repeat=1

[astefan]

Suggested change

	"Sequence cannot contains more than 256 queries; found [{}]",
	"Sequence cannot contain more than 256 queries; found [{}]",

[astefan]

Suggested change

	throw new ParsingException(source, "A sequence requires a minimum of 2 queries, found [{}]", queries.size());
	throw new ParsingException(source, "A sequence requires a minimum of 2 queries, found [{}]", queries.size());

[astefan]

Can you also test this new exception?

[astefan]

LGTM. Left one minor comment.

[astefan]

If this is limited to 100, why not using byte?

[costin]

Habit - since it's a local variable it doesn't make a difference.

[elasticsearchmachine]

💔 Backport failed

Status	Branch	Result
❌	7.x	Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 75082

[costin]

/cc @jrodewig

[rw-access]

what's up with the brackets? the [runs=X] syntax doesn't make sense (choice of word aside) and now the meaning of brackets is very overloaded and confusing.

before, it just had exactly one meaning that was used in a lot of contexts. it wasn't on accident that it always contained an event filter: [event category where condition]

some of those usages: terms in a sequence or join, descendant of, until, etc.
it could also be used to index into arrays but clearly distinct field[1]

also the placement (after by) does seem a little odd in choice.

i would expect this to be more intuitive: (again, choice of word aside)

sequence
  [process where opcode == 1]          by unique_pid
  [file where    opcode == 0] runs=3   by unique_pid

[costin]

Hi Ross. Thanks for the feedback.

tl;dr

To avoid stretching [], it is being replaced with with a construct that already has the semantics we want and sounds good enough.

sequence
  [process where opcode == 1] by unique_pid
  [file where    opcode == 0] by unique_pid with runs=2
  [file where    opcode == 0] by unique_pid

Long story

There were several discussions going back and forth on how to declare runs which is a meta property of the query.
The overall goal in the syntax is to preserve the duplication without affecting the core query so that moving from one declaration to multiple and back is as easy as possible:

sequence
  [queryA] by X
  [queryA] by X
  [queryA] by X

// somehow becomes
sequence
  [queryA] by X // make it 3 times

This favors declaring the property as suffix, just like by and with.
Per this PR, another goal was to minimize the amount of symbols so to avoid adding a new one (such as {}), [] was used which at the time seemed like a good idea (famous last words).

Thanks to your feedback we reconsidered the reuse of [] and opted for with since it fits a lot of the properties wanted and continues the style of using prepositions/glue words as markers and block starters.
It keeps the same rules as within sequence declaration (needs to be as a suffix), allows enumeration for possible extensions in the future and allows other potential prepositions to be added further down the road:

// variants

[queryA]
[queryB] by X
[queryC] with runs=3
[queryD] by Z with runs=2

[rw-access]

I like it! Thanks!