[DOCS] EQL: Add advantages to overview (#53452) (#56052)

Adds a concise list of EQL advantages, based on the "EQL Advantages" section in the [EQL for the masses][0] blog post. The intent is to inform users how EQL could benefit at a high level. [0]: https://www.elastic.co/blog/eql-for-the-masses Co-Authored-By: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2025-03-25 17:38:44 +00:00 · 2020-04-30 13:19:31 -04:00 · 2020-04-30 13:19:31 -04:00 · 61cf646f17
commit 61cf646f17
parent d8f9df771d
1 changed files with 17 additions and 0 deletions
--- a/docs/reference/eql/index.asciidoc
+++ b/docs/reference/eql/index.asciidoc
@ -15,6 +15,23 @@ You can use EQL in {es} to easily express relationships between events and
 quickly match events with shared properties. You can use EQL and query
 DSL together to better filter your searches.

+[float]
+[[eql-advantages]]
+=== Advantages of EQL
+
+* *EQL lets you express relationships between events.* +
+Many query languages allow you to match only single events. EQL lets you match a
+sequence of events across different event categories and time spans.
+
+* *EQL has a low learning curve.* +
+EQL syntax looks like other query languages. It lets you write and read queries
+intuitively, which makes for quick, iterative searching.
+
+* *We designed EQL for security use cases.* +
+While you can use EQL for any event-based data, we created EQL for threat
+hunting. EQL not only supports indicator of compromise (IOC) searching but
+makes it easy to describe activity that goes beyond IOCs.
+
 [float]
 [[when-to-use-eql]]
 === When to use EQL