File tree 1 file changed +8
-9
lines changed 1 file changed +8
-9
lines changed Original file line number Diff line number Diff line change @@ -695,17 +695,17 @@ until [ process where event.type == "stop" ]
695695====
696696
697697[discrete]
698- [[eql-runs-keyword ]]
699- === `runs` keyword
698+ [[eql-with- runs-statement ]]
699+ === `with runs` statement
700700
701- Use a `runs` statement to run the same event criteria successively within a
701+ Use a `with runs` statement to run the same event criteria successively within a
702702sequence query. For example:
703703
704704[source,eql]
705705----
706706sequence
707707 [ process where event.type == "creation" ]
708- [ library where process.name == "regsvr32.exe" ] [ runs=3]
708+ [ library where process.name == "regsvr32.exe" ] with runs=3
709709 [ registry where true ]
710710----
711711
@@ -721,17 +721,16 @@ sequence
721721 [ registry where true ]
722722----
723723
724- A `runs` statement must be enclosed in square brackets (`[ ]`). The `runs` value
725- must be between `1` and `100` (inclusive).
724+ The `runs` value must be between `1` and `100` (inclusive).
726725
727- You can use a `runs` statement with the <<eql-by-keyword,`by` keyword>>. For
728- example:
726+ You can use a `with runs` statement with the <<eql-by-keyword,`by` keyword>>.
727+ For example:
729728
730729[source,eql]
731730----
732731sequence
733732 [ process where event.type == "creation" ] by process.executable
734- [ library where process.name == "regsvr32.exe" ] by dll.path [ runs=3]
733+ [ library where process.name == "regsvr32.exe" ] by dll.path with runs=3
735734----
736735
737736[discrete]
You can’t perform that action at this time.
0 commit comments