From a463d3356dbe71383de5e3f9d2ff892546da70c0 Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Wed, 29 Sep 2021 12:34:18 -0400 Subject: [PATCH 1/7] [DOCS] EQL: Document `runs` keyword Documents the `runs` keyword for repeating events in a sequence query. Relates to #75082. --- docs/reference/eql/syntax.asciidoc | 39 +++++++++++++++++++ .../release-notes/highlights.asciidoc | 22 +++++------ 2 files changed, 50 insertions(+), 11 deletions(-) diff --git a/docs/reference/eql/syntax.asciidoc b/docs/reference/eql/syntax.asciidoc index 66ed82308feb5..280d35f682cfc 100644 --- a/docs/reference/eql/syntax.asciidoc +++ b/docs/reference/eql/syntax.asciidoc @@ -694,6 +694,45 @@ until [ process where event.type == "stop" ] ---- ==== +[discrete] +[[eql-runs-keyword]] +=== `runs` keyword + +Use a `runs` statement to repeat an event within a sequence query. For example: + +[source,eql] +---- +sequence + [ process where event.type == "creation" ] + [ library where process.name == "regsvr32.exe" ] [runs=3] + [ registry where true ] +---- + +is equivalent to: + +[source,eql] +---- +sequence + [ process where event.type == "creation" ] + [ library where process.name == "regsvr32.exe" ] + [ library where process.name == "regsvr32.exe" ] + [ library where process.name == "regsvr32.exe" ] + [ registry where true ] +---- + +A `runs` statement must be enclosed in square brackets (`[ ]`). The `runs` value +must be between `1` and `100` (inclusive). + +You can use a `runs` statement with the <>. For +example: + +[source,eql] +---- +sequence + [ process where event.type == "creation" ] by process.executable + [ library where process.name == "regsvr32.exe" ] by dll.path [runs=3] +---- + [discrete] [[eql-functions]] === Functions diff --git a/docs/reference/release-notes/highlights.asciidoc b/docs/reference/release-notes/highlights.asciidoc index 3295ed7e100f4..d1647d9fe3913 100644 --- a/docs/reference/release-notes/highlights.asciidoc +++ b/docs/reference/release-notes/highlights.asciidoc @@ -8,7 +8,8 @@ For detailed information about this release, see the <> and // Add previous release to the list Other versions: -{ref-bare}/7.14/release-highlights.html[7.14] +{ref-bare}/7.15/release-highlights.html[7.15] +| {ref-bare}/7.14/release-highlights.html[7.14] | {ref-bare}/7.13/release-highlights.html[7.13] | {ref-bare}/7.11/release-highlights.html[7.12] | {ref-bare}/7.11/release-highlights.html[7.11] @@ -26,15 +27,14 @@ Other versions: // Use the notable-highlights tag to mark entries that // should be featured in the Stack Installation and Upgrade Guide: + // tag::notable-highlights[] -// [discrete] -// === Heading -// -// Description. -// end::notable-highlights[] +[discrete] +=== EQL: `runs` keyword for repeated events -// Omit the notable highlights tag for entries that only need to appear in the ES ref: -// [discrete] -// === Heading -// -// Description. \ No newline at end of file +In 7.16, we added the `runs` keyword to EQL. Sometimes a sequence includes +a repeated event. Rather than typing the same event criteria multiple times, you +can use a `runs` statement to easily repeat an event within a sequence query. +For more details, check out the {ref}/eql-syntax.html#eql-runs-keyword[EQL +syntax documentation]. +// end::notable-highlights[] From 83862d523e58a46330b14399d44c4c2b00b28e81 Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Thu, 30 Sep 2021 09:01:08 -0400 Subject: [PATCH 2/7] Reword --- docs/reference/eql/syntax.asciidoc | 3 ++- docs/reference/release-notes/highlights.asciidoc | 9 ++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/reference/eql/syntax.asciidoc b/docs/reference/eql/syntax.asciidoc index 280d35f682cfc..2d1b57fab7de4 100644 --- a/docs/reference/eql/syntax.asciidoc +++ b/docs/reference/eql/syntax.asciidoc @@ -698,7 +698,8 @@ until [ process where event.type == "stop" ] [[eql-runs-keyword]] === `runs` keyword -Use a `runs` statement to repeat an event within a sequence query. For example: +Use a `runs` statement to run the same event criteria successively within a +sequence query. For example: [source,eql] ---- diff --git a/docs/reference/release-notes/highlights.asciidoc b/docs/reference/release-notes/highlights.asciidoc index d1647d9fe3913..a387fbf704294 100644 --- a/docs/reference/release-notes/highlights.asciidoc +++ b/docs/reference/release-notes/highlights.asciidoc @@ -32,9 +32,8 @@ Other versions: [discrete] === EQL: `runs` keyword for repeated events -In 7.16, we added the `runs` keyword to EQL. Sometimes a sequence includes -a repeated event. Rather than typing the same event criteria multiple times, you -can use a `runs` statement to easily repeat an event within a sequence query. -For more details, check out the {ref}/eql-syntax.html#eql-runs-keyword[EQL -syntax documentation]. +In 7.16, we added the `runs` keyword to EQL. Rather than type the same event +criteria multiple times, you can use a `runs` statement to declare the criteria +once and run it successively. For more details, check out the +{ref}/eql-syntax.html#eql-runs-keyword[EQL syntax documentation]. // end::notable-highlights[] From 1bba744b41f7f725f1db3bf7510b21f891b88248 Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Thu, 30 Sep 2021 09:03:05 -0400 Subject: [PATCH 3/7] Re-add sentence. --- docs/reference/release-notes/highlights.asciidoc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/reference/release-notes/highlights.asciidoc b/docs/reference/release-notes/highlights.asciidoc index a387fbf704294..0bb4ea2cff199 100644 --- a/docs/reference/release-notes/highlights.asciidoc +++ b/docs/reference/release-notes/highlights.asciidoc @@ -32,8 +32,9 @@ Other versions: [discrete] === EQL: `runs` keyword for repeated events -In 7.16, we added the `runs` keyword to EQL. Rather than type the same event -criteria multiple times, you can use a `runs` statement to declare the criteria -once and run it successively. For more details, check out the -{ref}/eql-syntax.html#eql-runs-keyword[EQL syntax documentation]. +In 7.16, we added the `runs` keyword to EQL. Sometimes a sequence includes a +repeated event. Rather than type the same event criteria multiple times, you can +use a `runs` statement to declare the criteria once and run it successively. For +more details, check out the {ref}/eql-syntax.html#eql-runs-keyword[EQL syntax +documentation]. // end::notable-highlights[] From c26c56ab7f138bfaf50d58c0b05132b852d9166f Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Thu, 30 Sep 2021 09:07:02 -0400 Subject: [PATCH 4/7] Reword --- docs/reference/release-notes/highlights.asciidoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/reference/release-notes/highlights.asciidoc b/docs/reference/release-notes/highlights.asciidoc index 0bb4ea2cff199..7002badfc437f 100644 --- a/docs/reference/release-notes/highlights.asciidoc +++ b/docs/reference/release-notes/highlights.asciidoc @@ -32,9 +32,9 @@ Other versions: [discrete] === EQL: `runs` keyword for repeated events -In 7.16, we added the `runs` keyword to EQL. Sometimes a sequence includes a -repeated event. Rather than type the same event criteria multiple times, you can -use a `runs` statement to declare the criteria once and run it successively. For -more details, check out the {ref}/eql-syntax.html#eql-runs-keyword[EQL syntax -documentation]. +In 7.16, we added the `runs` keyword to EQL. Sometimes you want to find a +sequence that contains a repeated, successive event. Rather than type the same +event criteria multiple times, you can use a `runs` statement to declare the +criteria once and run it successively. For more details, check out the +{ref}/eql-syntax.html#eql-runs-keyword[EQL syntax documentation]. // end::notable-highlights[] From d4dd1526cd055e9b1c54cfe7db8f77a299daf2e9 Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Thu, 30 Sep 2021 09:08:41 -0400 Subject: [PATCH 5/7] Reword release highlight --- docs/reference/release-notes/highlights.asciidoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/reference/release-notes/highlights.asciidoc b/docs/reference/release-notes/highlights.asciidoc index 7002badfc437f..3329d85da0f4f 100644 --- a/docs/reference/release-notes/highlights.asciidoc +++ b/docs/reference/release-notes/highlights.asciidoc @@ -32,9 +32,9 @@ Other versions: [discrete] === EQL: `runs` keyword for repeated events -In 7.16, we added the `runs` keyword to EQL. Sometimes you want to find a -sequence that contains a repeated, successive event. Rather than type the same -event criteria multiple times, you can use a `runs` statement to declare the -criteria once and run it successively. For more details, check out the -{ref}/eql-syntax.html#eql-runs-keyword[EQL syntax documentation]. +In 7.16, we added the `runs` keyword to EQL sequence queries. Sometimes you want +to find a sequence that contains a repeated, successive event. Rather than type +the same event criteria multiple times, you can use a `runs` statement to +declare the criteria once and run it successively. For more details, check out +the {ref}/eql-syntax.html#eql-runs-keyword[EQL syntax documentation]. // end::notable-highlights[] From 08b0e4d044c3a74dfa38f9bc1da29b3917c1b60a Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Thu, 30 Sep 2021 09:09:23 -0400 Subject: [PATCH 6/7] Reword --- docs/reference/release-notes/highlights.asciidoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/reference/release-notes/highlights.asciidoc b/docs/reference/release-notes/highlights.asciidoc index 3329d85da0f4f..c069d5ad853ef 100644 --- a/docs/reference/release-notes/highlights.asciidoc +++ b/docs/reference/release-notes/highlights.asciidoc @@ -33,8 +33,8 @@ Other versions: === EQL: `runs` keyword for repeated events In 7.16, we added the `runs` keyword to EQL sequence queries. Sometimes you want -to find a sequence that contains a repeated, successive event. Rather than type -the same event criteria multiple times, you can use a `runs` statement to -declare the criteria once and run it successively. For more details, check out -the {ref}/eql-syntax.html#eql-runs-keyword[EQL syntax documentation]. +to find a sequence that contains an event multiple times in sucession. Rather +than type the same event criteria multiple times, you can use a `runs` statement +to declare the criteria once and run it successively. For more details, check +out the {ref}/eql-syntax.html#eql-runs-keyword[EQL syntax documentation]. // end::notable-highlights[] From 2362f3472a9ec5f80aa985f258729136be6db9dd Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Thu, 30 Sep 2021 09:10:00 -0400 Subject: [PATCH 7/7] Fix typo --- docs/reference/release-notes/highlights.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/release-notes/highlights.asciidoc b/docs/reference/release-notes/highlights.asciidoc index c069d5ad853ef..2a62820027c23 100644 --- a/docs/reference/release-notes/highlights.asciidoc +++ b/docs/reference/release-notes/highlights.asciidoc @@ -33,7 +33,7 @@ Other versions: === EQL: `runs` keyword for repeated events In 7.16, we added the `runs` keyword to EQL sequence queries. Sometimes you want -to find a sequence that contains an event multiple times in sucession. Rather +to find a sequence that contains an event multiple times in succession. Rather than type the same event criteria multiple times, you can use a `runs` statement to declare the criteria once and run it successively. For more details, check out the {ref}/eql-syntax.html#eql-runs-keyword[EQL syntax documentation].