Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] EQL: Document runs keyword #78478

Merged
merged 7 commits into from
Sep 30, 2021
+51 −11
Merged

[DOCS] EQL: Document runs keyword #78478

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a463d33
[DOCS] EQL: Document `runs` keyword
jrodewig Sep 29, 2021
83862d5
Reword
jrodewig Sep 30, 2021
1bba744
Re-add sentence.
jrodewig Sep 30, 2021
c26c56a
Reword
jrodewig Sep 30, 2021
d4dd152
Reword release highlight
jrodewig Sep 30, 2021
08b0e4d
Reword
jrodewig Sep 30, 2021
2362f34
Fix typo
jrodewig Sep 30, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions docs/reference/eql/syntax.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -694,6 +694,46 @@ until [ process where event.type == "stop" ]
----
====

[discrete]
[[eql-runs-keyword]]
=== `runs` keyword

Use a `runs` statement to run the same event criteria successively within a
sequence query. For example:

[source,eql]
----
sequence
[ process where event.type == "creation" ]
[ library where process.name == "regsvr32.exe" ] [runs=3]
[ registry where true ]
----

is equivalent to:

[source,eql]
----
sequence
[ process where event.type == "creation" ]
[ library where process.name == "regsvr32.exe" ]
[ library where process.name == "regsvr32.exe" ]
[ library where process.name == "regsvr32.exe" ]
[ registry where true ]
----

A `runs` statement must be enclosed in square brackets (`[ ]`). The `runs` value
must be between `1` and `100` (inclusive).

You can use a `runs` statement with the <<eql-by-keyword,`by` keyword>>. For
example:

[source,eql]
----
sequence
[ process where event.type == "creation" ] by process.executable
[ library where process.name == "regsvr32.exe" ] by dll.path [runs=3]
----

[discrete]
[[eql-functions]]
=== Functions
Expand Down
22 changes: 11 additions & 11 deletions docs/reference/release-notes/highlights.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ For detailed information about this release, see the <<es-release-notes>> and

// Add previous release to the list
Other versions:
{ref-bare}/7.14/release-highlights.html[7.14]
{ref-bare}/7.15/release-highlights.html[7.15]
| {ref-bare}/7.14/release-highlights.html[7.14]
| {ref-bare}/7.13/release-highlights.html[7.13]
| {ref-bare}/7.11/release-highlights.html[7.12]
| {ref-bare}/7.11/release-highlights.html[7.11]
Expand All @@ -26,15 +27,14 @@ Other versions:

// Use the notable-highlights tag to mark entries that
// should be featured in the Stack Installation and Upgrade Guide:

// tag::notable-highlights[]
// [discrete]
// === Heading
//
// Description.
// end::notable-highlights[]
[discrete]
=== EQL: `runs` keyword for repeated events

// Omit the notable highlights tag for entries that only need to appear in the ES ref:
// [discrete]
// === Heading
//
// Description.
In 7.16, we added the `runs` keyword to EQL sequence queries. Sometimes you want
to find a sequence that contains an event multiple times in succession. Rather
than type the same event criteria multiple times, you can use a `runs` statement
to declare the criteria once and run it successively. For more details, check
out the {ref}/eql-syntax.html#eql-runs-keyword[EQL syntax documentation].
// end::notable-highlights[]