Skip to content

Commit f3500cb

Browse files
jrodewigjrodewig
authored
[7.x] [DOCS] Update runs syntax (#78922) (#78929)
* [DOCS] Update `runs` syntax (#78922) Updates the EQL syntax docs for PR #78895. * Update release highlight
1 parent d30c3e5 commit f3500cb

File tree

2 files changed

+15
-15
lines changed

2 files changed

+15
-15
lines changed

docs/reference/eql/syntax.asciidoc

Lines changed: 8 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -695,17 +695,17 @@ until [ process where event.type == "stop" ]
695695
====
696696

697697
[discrete]
698-
[[eql-runs-keyword]]
699-
=== `runs` keyword
698+
[[eql-with-runs-statement]]
699+
=== `with runs` statement
700700

701-
Use a `runs` statement to run the same event criteria successively within a
701+
Use a `with runs` statement to run the same event criteria successively within a
702702
sequence query. For example:
703703

704704
[source,eql]
705705
----
706706
sequence
707707
[ process where event.type == "creation" ]
708-
[ library where process.name == "regsvr32.exe" ] [runs=3]
708+
[ library where process.name == "regsvr32.exe" ] with runs=3
709709
[ registry where true ]
710710
----
711711

@@ -721,17 +721,16 @@ sequence
721721
[ registry where true ]
722722
----
723723

724-
A `runs` statement must be enclosed in square brackets (`[ ]`). The `runs` value
725-
must be between `1` and `100` (inclusive).
724+
The `runs` value must be between `1` and `100` (inclusive).
726725

727-
You can use a `runs` statement with the <<eql-by-keyword,`by` keyword>>. For
728-
example:
726+
You can use a `with runs` statement with the <<eql-by-keyword,`by` keyword>>.
727+
For example:
729728

730729
[source,eql]
731730
----
732731
sequence
733732
[ process where event.type == "creation" ] by process.executable
734-
[ library where process.name == "regsvr32.exe" ] by dll.path [runs=3]
733+
[ library where process.name == "regsvr32.exe" ] by dll.path with runs=3
735734
----
736735

737736
[discrete]

docs/reference/release-notes/highlights.asciidoc

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -30,11 +30,12 @@ Other versions:
3030

3131
// tag::notable-highlights[]
3232
[discrete]
33-
=== EQL: `runs` keyword for repeated events
33+
=== EQL: `with runs` statements for repeated events
3434

35-
In 7.16, we added the `runs` keyword to EQL sequence queries. Sometimes you want
36-
to find a sequence that contains an event multiple times in succession. Rather
37-
than type the same event criteria multiple times, you can use a `runs` statement
38-
to declare the criteria once and run it successively. For more details, check
39-
out the {ref}/eql-syntax.html#eql-runs-keyword[EQL syntax documentation].
35+
In 7.16, we added the `with runs` statement syntax to EQL sequence queries.
36+
Sometimes you want to find a sequence that contains an event multiple times in
37+
succession. Rather than type the same event criteria multiple times, you can use
38+
a `with runs` statement to declare the criteria once and run it successively.
39+
For more details, check out the
40+
{ref}/eql-syntax.html#eql-with-runs-statement[EQL syntax documentation].
4041
// end::notable-highlights[]

0 commit comments

Comments
 (0)