EQL: consistent naming for event type vs event category

[costin]

EQL historically had used event_type to indicate the type for an event.
The decision has been made (#49634) to change this to event.category which is not just a simple name but also a slightly different structure, event being an object while category a sub-field.
Yet the request still uses event_type_field to allow overriding the event field.

The two need to be aligned, it's either category meaning event_category_field or type so there's event.type (instead of event.category).

[elasticmachine]

Pinging @elastic/es-search (:Search/EQL)

[costin]

Pinging @tsg in case there's a preferred terminology used by SIEM.

[tsg]

event.category matches best in my opinion, see the possible values here. I'd say it makes sense to switch the request setting to event_category_field, less confusing that way.

[costin]

Thanks - what about timestamp, should it be @timestamp or timestamp (no leading @)?

[costin]

@timestamp it is.

[tsg]

Yeah, @timestamp is the ECS name so we should default to it.