From 89ed857c79d4b7a4fe105835ad03fcfd9d1bdf8a Mon Sep 17 00:00:00 2001
From: Aleksandr Maus <aleksandr.maus@elastic.co>
Date: Mon, 2 Mar 2020 09:26:23 -0500
Subject: [PATCH] EQL: Change request parameter query to filter and rule to
 query (#52971) (#53006)

Related to https://github.com/elastic/elasticsearch/issues/52911
---
 .../client/eql/EqlSearchRequest.java          | 47 ++++++------
 .../client/eql/EqlSearchRequestTests.java     |  8 +--
 docs/reference/eql/search.asciidoc            |  4 +-
 .../test/eql/CommonEqlRestTestCase.java       | 26 +++----
 .../rest-api-spec/test/eql/10_basic.yml       |  2 +-
 .../xpack/eql/action/EqlSearchRequest.java    | 71 +++++++++----------
 .../eql/action/EqlSearchRequestBuilder.java   |  8 +--
 .../eql/plugin/TransportEqlSearchAction.java  |  4 +-
 .../xpack/eql/action/EqlActionIT.java         |  2 +-
 .../eql/action/EqlRequestParserTests.java     | 20 +++---
 .../eql/action/EqlSearchRequestTests.java     | 16 ++---
 11 files changed, 103 insertions(+), 105 deletions(-)

diff --git a/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java b/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java
index a8b342f0a43..9bca610194b 100644
--- a/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java
+++ b/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java
@@ -36,32 +36,32 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
     private String[] indices;
     private IndicesOptions indicesOptions = IndicesOptions.fromOptions(false, false, true, false);
 
-    private QueryBuilder query = null;
+    private QueryBuilder filter = null;
     private String timestampField = "@timestamp";
     private String eventTypeField = "event_type";
     private String implicitJoinKeyField = "agent.id";
     private int fetchSize = 50;
     private SearchAfterBuilder searchAfterBuilder;
-    private String rule;
+    private String query;
 
-    static final String KEY_QUERY = "query";
+    static final String KEY_FILTER = "filter";
     static final String KEY_TIMESTAMP_FIELD = "timestamp_field";
     static final String KEY_EVENT_TYPE_FIELD = "event_type_field";
     static final String KEY_IMPLICIT_JOIN_KEY_FIELD = "implicit_join_key_field";
     static final String KEY_SIZE = "size";
     static final String KEY_SEARCH_AFTER = "search_after";
-    static final String KEY_RULE = "rule";
+    static final String KEY_QUERY = "query";
 
-    public EqlSearchRequest(String indices, String rule) {
+    public EqlSearchRequest(String indices, String query) {
         indices(indices);
-        rule(rule);
+        query(query);
     }
 
     @Override
     public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params params) throws IOException {
         builder.startObject();
-        if (query != null) {
-            builder.field(KEY_QUERY, query);
+        if (filter != null) {
+            builder.field(KEY_FILTER, filter);
         }
         builder.field(KEY_TIMESTAMP_FIELD, timestampField());
         builder.field(KEY_EVENT_TYPE_FIELD, eventTypeField());
@@ -74,7 +74,7 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
             builder.array(KEY_SEARCH_AFTER, searchAfterBuilder.getSortValues());
         }
 
-        builder.field(KEY_RULE, rule);
+        builder.field(KEY_QUERY, query);
         builder.endObject();
         return builder;
     }
@@ -88,12 +88,12 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
         return this;
     }
 
-    public QueryBuilder query() {
-        return this.query;
+    public QueryBuilder filter() {
+        return this.filter;
     }
 
-    public EqlSearchRequest query(QueryBuilder query) {
-        this.query = query;
+    public EqlSearchRequest filter(QueryBuilder filter) {
+        this.filter = filter;
         return this;
     }
 
@@ -156,13 +156,13 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
         return this;
     }
 
-    public String rule() {
-        return this.rule;
+    public String query() {
+        return this.query;
     }
 
-    public EqlSearchRequest rule(String rule) {
-        Objects.requireNonNull(rule, "rule must not be null");
-        this.rule = rule;
+    public EqlSearchRequest query(String query) {
+        Objects.requireNonNull(query, "query must not be null");
+        this.query = query;
         return this;
     }
 
@@ -175,16 +175,15 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
             return false;
         }
         EqlSearchRequest that = (EqlSearchRequest) o;
-        return
-            fetchSize == that.fetchSize &&
+        return fetchSize == that.fetchSize &&
                 Arrays.equals(indices, that.indices) &&
                 Objects.equals(indicesOptions, that.indicesOptions) &&
-                Objects.equals(query, that.query) &&
+                Objects.equals(filter, that.filter) &&
                 Objects.equals(timestampField, that.timestampField) &&
                 Objects.equals(eventTypeField, that.eventTypeField) &&
                 Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) &&
                 Objects.equals(searchAfterBuilder, that.searchAfterBuilder) &&
-                Objects.equals(rule, that.rule);
+                Objects.equals(query, that.query);
     }
 
     @Override
@@ -192,13 +191,13 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
         return Objects.hash(
             Arrays.hashCode(indices),
             indicesOptions,
-            query,
+            filter,
             fetchSize,
             timestampField,
             eventTypeField,
             implicitJoinKeyField,
             searchAfterBuilder,
-            rule);
+            query);
     }
 
     public String[] indices() {
diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java
index a7ad218a39f..19d2c7bb7e6 100644
--- a/client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java
+++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java
@@ -46,7 +46,7 @@ public class EqlSearchRequestTests extends AbstractRequestTestCase<EqlSearchRequ
             EqlSearchRequest.eventTypeField(randomAlphaOfLength(10));
         }
         if (randomBoolean()) {
-            EqlSearchRequest.rule(randomAlphaOfLength(10));
+            EqlSearchRequest.query(randomAlphaOfLength(10));
         }
         if (randomBoolean()) {
             EqlSearchRequest.timestampField(randomAlphaOfLength(10));
@@ -56,9 +56,9 @@ public class EqlSearchRequestTests extends AbstractRequestTestCase<EqlSearchRequ
         }
         if (randomBoolean()) {
             if (randomBoolean()) {
-                EqlSearchRequest.query(QueryBuilders.matchAllQuery());
+                EqlSearchRequest.filter(QueryBuilders.matchAllQuery());
             } else {
-                EqlSearchRequest.query(QueryBuilders.termQuery(randomAlphaOfLength(10), randomInt(100)));
+                EqlSearchRequest.filter(QueryBuilders.termQuery(randomAlphaOfLength(10), randomInt(100)));
             }
         }
         return EqlSearchRequest;
@@ -75,8 +75,8 @@ public class EqlSearchRequestTests extends AbstractRequestTestCase<EqlSearchRequ
         assertThat(serverInstance.eventTypeField(), equalTo(clientTestInstance.eventTypeField()));
         assertThat(serverInstance.implicitJoinKeyField(), equalTo(clientTestInstance.implicitJoinKeyField()));
         assertThat(serverInstance.timestampField(), equalTo(clientTestInstance.timestampField()));
+        assertThat(serverInstance.filter(), equalTo(clientTestInstance.filter()));
         assertThat(serverInstance.query(), equalTo(clientTestInstance.query()));
-        assertThat(serverInstance.rule(), equalTo(clientTestInstance.rule()));
         assertThat(serverInstance.searchAfter(), equalTo(clientTestInstance.searchAfter()));
         assertThat(serverInstance.indicesOptions(), equalTo(clientTestInstance.indicesOptions()));
         assertThat(serverInstance.indices(), equalTo(clientTestInstance.indices()));
diff --git a/docs/reference/eql/search.asciidoc b/docs/reference/eql/search.asciidoc
index acc061d5457..9f1f61e631d 100644
--- a/docs/reference/eql/search.asciidoc
+++ b/docs/reference/eql/search.asciidoc
@@ -27,7 +27,7 @@ PUT sec_logs/_bulk?refresh
 You can now use the EQL search API to search this index using an EQL query.
 
 The following request searches the `sec_logs` index using the EQL query
-specified in the `rule` parameter. The EQL query matches events with an
+specified in the `query` parameter. The EQL query matches events with an
 `event.category` of `process` that have a `process.name` of `cmd.exe`.
 
 [source,console]
@@ -35,7 +35,7 @@ specified in the `rule` parameter. The EQL query matches events with an
 GET sec_logs/_eql/search
 {
   "event_type_field": "event.category",
-  "rule": """
+  "query": """
     process where process.name == "cmd.exe"
   """
 }
diff --git a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java
index 628972c4d20..be89d3ee9c2 100644
--- a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java
+++ b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java
@@ -36,31 +36,31 @@ public abstract class CommonEqlRestTestCase extends ESRestTestCase {
     }
 
     public static final String defaultValidationIndexName = "eql_search_validation_test";
-    private static final String validRule = "process where user = 'SYSTEM'";
+    private static final String validQuery = "process where user = 'SYSTEM'";
 
     public static final ArrayList<SearchTestConfiguration> searchValidationTests;
     static {
         searchValidationTests = new ArrayList<>();
         searchValidationTests.add(new SearchTestConfiguration(null, 400, "request body or source parameter is required"));
-        searchValidationTests.add(new SearchTestConfiguration("{}", 400, "rule is null or empty"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"\"}", 400, "rule is null or empty"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"timestamp_field\": \"\"}",
+        searchValidationTests.add(new SearchTestConfiguration("{}", 400, "query is null or empty"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"\"}", 400, "query is null or empty"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"timestamp_field\": \"\"}",
             400, "timestamp field is null or empty"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"event_type_field\": \"\"}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"event_type_field\": \"\"}",
             400, "event type field is null or empty"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"implicit_join_key_field\": \"\"}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"implicit_join_key_field\": \"\"}",
             400, "implicit join key field is null or empty"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"size\": 0}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"size\": 0}",
             400, "size must be greater than 0"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"size\": -1}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"size\": -1}",
             400, "size must be greater than 0"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"search_after\": null}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"search_after\": null}",
             400, "search_after doesn't support values of type: VALUE_NULL"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"search_after\": []}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"search_after\": []}",
             400, "must contains at least one value"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"query\": null}",
-            400, "query doesn't support values of type: VALUE_NULL"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"query\": {}}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"filter\": null}",
+            400, "filter doesn't support values of type: VALUE_NULL"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"filter\": {}}",
             400, "query malformed, empty clause found"));
     }
 
diff --git a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml
index 633b6225780..d4ef1aef83e 100644
--- a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml
+++ b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml
@@ -17,7 +17,7 @@ setup:
       eql.search:
         index: eql_test
         body:
-          rule: "process where user = 'SYSTEM'"
+          query: "process where user = 'SYSTEM'"
 
   - match: {timed_out: false}
   - match: {hits.total.value: 1}
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java
index 2d5aa5f8c3b..89cacf44e71 100644
--- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java
@@ -37,29 +37,29 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
     private IndicesOptions indicesOptions = IndicesOptions.fromOptions(false,
         false, true, false);
 
-    private QueryBuilder query = null;
+    private QueryBuilder filter = null;
     private String timestampField = FIELD_TIMESTAMP;
     private String eventTypeField = FIELD_EVENT_TYPE;
     private String implicitJoinKeyField = IMPLICIT_JOIN_KEY;
     private int fetchSize = FETCH_SIZE;
     private SearchAfterBuilder searchAfterBuilder;
-    private String rule;
+    private String query;
 
-    static final String KEY_QUERY = "query";
+    static final String KEY_FILTER = "filter";
     static final String KEY_TIMESTAMP_FIELD = "timestamp_field";
     static final String KEY_EVENT_TYPE_FIELD = "event_type_field";
     static final String KEY_IMPLICIT_JOIN_KEY_FIELD = "implicit_join_key_field";
     static final String KEY_SIZE = "size";
     static final String KEY_SEARCH_AFTER = "search_after";
-    static final String KEY_RULE = "rule";
+    static final String KEY_QUERY = "query";
 
-    static final ParseField QUERY = new ParseField(KEY_QUERY);
+    static final ParseField FILTER = new ParseField(KEY_FILTER);
     static final ParseField TIMESTAMP_FIELD = new ParseField(KEY_TIMESTAMP_FIELD);
     static final ParseField EVENT_TYPE_FIELD = new ParseField(KEY_EVENT_TYPE_FIELD);
     static final ParseField IMPLICIT_JOIN_KEY_FIELD = new ParseField(KEY_IMPLICIT_JOIN_KEY_FIELD);
     static final ParseField SIZE = new ParseField(KEY_SIZE);
     static final ParseField SEARCH_AFTER = new ParseField(KEY_SEARCH_AFTER);
-    static final ParseField RULE = new ParseField(KEY_RULE);
+    static final ParseField QUERY = new ParseField(KEY_QUERY);
 
     private static final ObjectParser<EqlSearchRequest, Void> PARSER = objectParser(EqlSearchRequest::new);
 
@@ -71,13 +71,13 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
         super(in);
         indices = in.readStringArray();
         indicesOptions = IndicesOptions.readIndicesOptions(in);
-        query = in.readOptionalNamedWriteable(QueryBuilder.class);
+        filter = in.readOptionalNamedWriteable(QueryBuilder.class);
         timestampField = in.readString();
         eventTypeField = in.readString();
         implicitJoinKeyField = in.readString();
         fetchSize = in.readVInt();
         searchAfterBuilder = in.readOptionalWriteable(SearchAfterBuilder::new);
-        rule = in.readString();
+        query = in.readString();
     }
 
     @Override
@@ -99,8 +99,8 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
             validationException = addValidationError("indicesOptions is null", validationException);
         }
 
-        if (rule == null || rule.isEmpty()) {
-            validationException = addValidationError("rule is null or empty", validationException);
+        if (query == null || query.isEmpty()) {
+            validationException = addValidationError("query is null or empty", validationException);
         }
 
         if (timestampField == null || timestampField.isEmpty()) {
@@ -124,8 +124,8 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
 
     @Override
     public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
-        if (query != null) {
-            builder.field(KEY_QUERY, query);
+        if (filter != null) {
+            builder.field(KEY_FILTER, filter);
         }
         builder.field(KEY_TIMESTAMP_FIELD, timestampField());
         builder.field(KEY_EVENT_TYPE_FIELD, eventTypeField());
@@ -138,7 +138,7 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
             builder.array(SEARCH_AFTER.getPreferredName(), searchAfterBuilder.getSortValues());
         }
 
-        builder.field(KEY_RULE, rule);
+        builder.field(KEY_QUERY, query);
 
         return builder;
     }
@@ -149,15 +149,15 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
 
     protected static <R extends EqlSearchRequest> ObjectParser<R, Void> objectParser(Supplier<R> supplier) {
         ObjectParser<R, Void> parser = new ObjectParser<>("eql/search", false, supplier);
-        parser.declareObject(EqlSearchRequest::query,
-            (p, c) -> AbstractQueryBuilder.parseInnerQueryBuilder(p), QUERY);
+        parser.declareObject(EqlSearchRequest::filter,
+            (p, c) -> AbstractQueryBuilder.parseInnerQueryBuilder(p), FILTER);
         parser.declareString(EqlSearchRequest::timestampField, TIMESTAMP_FIELD);
         parser.declareString(EqlSearchRequest::eventTypeField, EVENT_TYPE_FIELD);
         parser.declareString(EqlSearchRequest::implicitJoinKeyField, IMPLICIT_JOIN_KEY_FIELD);
         parser.declareInt(EqlSearchRequest::fetchSize, SIZE);
         parser.declareField(EqlSearchRequest::setSearchAfter, SearchAfterBuilder::fromXContent, SEARCH_AFTER,
             ObjectParser.ValueType.OBJECT_ARRAY);
-        parser.declareString(EqlSearchRequest::rule, RULE);
+        parser.declareString(EqlSearchRequest::query, QUERY);
         return parser;
     }
 
@@ -167,10 +167,10 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
         return this;
     }
 
-    public QueryBuilder query() { return this.query; }
+    public QueryBuilder filter() { return this.filter; }
 
-    public EqlSearchRequest query(QueryBuilder query) {
-        this.query = query;
+    public EqlSearchRequest filter(QueryBuilder filter) {
+        this.filter = filter;
         return this;
     }
 
@@ -219,10 +219,10 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
         return this;
     }
 
-    public String rule() { return this.rule; }
+    public String query() { return this.query; }
 
-    public EqlSearchRequest rule(String rule) {
-        this.rule = rule;
+    public EqlSearchRequest query(String query) {
+        this.query = query;
         return this;
     }
 
@@ -231,13 +231,13 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
         super.writeTo(out);
         out.writeStringArrayNullable(indices);
         indicesOptions.writeIndicesOptions(out);
-        out.writeOptionalNamedWriteable(query);
+        out.writeOptionalNamedWriteable(filter);
         out.writeString(timestampField);
         out.writeString(eventTypeField);
         out.writeString(implicitJoinKeyField);
         out.writeVInt(fetchSize);
         out.writeOptionalWriteable(searchAfterBuilder);
-        out.writeString(rule);
+        out.writeString(query);
     }
 
     @Override
@@ -249,16 +249,15 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
             return false;
         }
         EqlSearchRequest that = (EqlSearchRequest) o;
-        return
-            fetchSize == that.fetchSize &&
-            Arrays.equals(indices, that.indices) &&
-            Objects.equals(indicesOptions, that.indicesOptions) &&
-            Objects.equals(query, that.query) &&
-            Objects.equals(timestampField, that.timestampField) &&
-            Objects.equals(eventTypeField, that.eventTypeField) &&
-            Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) &&
-            Objects.equals(searchAfterBuilder, that.searchAfterBuilder) &&
-            Objects.equals(rule, that.rule);
+        return fetchSize == that.fetchSize &&
+                Arrays.equals(indices, that.indices) &&
+                Objects.equals(indicesOptions, that.indicesOptions) &&
+                Objects.equals(filter, that.filter) &&
+                Objects.equals(timestampField, that.timestampField) &&
+                Objects.equals(eventTypeField, that.eventTypeField) &&
+                Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) &&
+                Objects.equals(searchAfterBuilder, that.searchAfterBuilder) &&
+                Objects.equals(query, that.query);
     }
 
     @Override
@@ -266,13 +265,13 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
         return Objects.hash(
             Arrays.hashCode(indices),
             indicesOptions,
-            query,
+            filter,
             fetchSize,
             timestampField,
             eventTypeField,
             implicitJoinKeyField,
             searchAfterBuilder,
-            rule);
+            query);
     }
 
     @Override
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java
index 2e808501ae9..743b297a58a 100644
--- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java
@@ -20,8 +20,8 @@ public class EqlSearchRequestBuilder extends ActionRequestBuilder<EqlSearchReque
         return this;
     }
 
-    public EqlSearchRequestBuilder query(QueryBuilder query) {
-        request.query(query);
+    public EqlSearchRequestBuilder filter(QueryBuilder filter) {
+        request.filter(filter);
         return this;
     }
 
@@ -50,8 +50,8 @@ public class EqlSearchRequestBuilder extends ActionRequestBuilder<EqlSearchReque
         return this;
     }
 
-    public EqlSearchRequestBuilder rule(String rule) {
-        request.rule(rule);
+    public EqlSearchRequestBuilder query(String query) {
+        request.query(query);
         return this;
     }
 
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java
index 13aa1d1f62c..24a3cda7b8f 100644
--- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java
@@ -56,7 +56,7 @@ public class TransportEqlSearchAction extends HandledTransportAction<EqlSearchRe
                                  String clusterName, ActionListener<EqlSearchResponse> listener) {
         // TODO: these should be sent by the client
         ZoneId zoneId = DateUtils.of("Z");
-        QueryBuilder filter = request.query();
+        QueryBuilder filter = request.filter();
         TimeValue timeout = TimeValue.timeValueSeconds(30);
         boolean includeFrozen = request.indicesOptions().ignoreThrottled() == false;
         String clientId = null;
@@ -68,7 +68,7 @@ public class TransportEqlSearchAction extends HandledTransportAction<EqlSearchRe
 
         Configuration cfg = new Configuration(request.indices(), zoneId, username, clusterName, filter, timeout, request.fetchSize(),
                 includeFrozen, clientId);
-        planExecutor.eql(cfg, request.rule(), params, wrap(r -> listener.onResponse(createResponse(r)), listener::onFailure));
+        planExecutor.eql(cfg, request.query(), params, wrap(r -> listener.onResponse(createResponse(r)), listener::onFailure));
     }
 
     static EqlSearchResponse createResponse(Results results) {
diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java
index 2ead2458457..d0ff9699681 100644
--- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java
+++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java
@@ -98,7 +98,7 @@ public class EqlActionIT extends AbstractEqlIntegTestCase {
 
     public final void test() {
         EqlSearchResponse response = new EqlSearchRequestBuilder(client(), EqlSearchAction.INSTANCE)
-            .indices(testIndexName).rule(spec.query()).get();
+            .indices(testIndexName).query(spec.query()).get();
 
         List<SearchHit> events = response.hits().events();
         assertNotNull(events);
diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java
index f2016ee04ee..0ba6ed71e0c 100644
--- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java
+++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java
@@ -31,7 +31,7 @@ public class EqlRequestParserTests extends ESTestCase {
     }
 
     public void testSearchRequestParser() throws IOException {
-        assertParsingErrorMessage("{\"query\" : 123}", "query doesn't support values of type: VALUE_NUMBER",
+        assertParsingErrorMessage("{\"filter\" : 123}", "filter doesn't support values of type: VALUE_NUMBER",
             EqlSearchRequest::fromXContent);
         assertParsingErrorMessage("{\"timestamp_field\" : 123}", "timestamp_field doesn't support values of type: VALUE_NUMBER",
             EqlSearchRequest::fromXContent);
@@ -43,32 +43,32 @@ public class EqlRequestParserTests extends ESTestCase {
         assertParsingErrorMessage("{\"search_after\" : 123}", "search_after doesn't support values of type: VALUE_NUMBER",
             EqlSearchRequest::fromXContent);
         assertParsingErrorMessage("{\"size\" : \"foo\"}", "failed to parse field [size]", EqlSearchRequest::fromXContent);
-        assertParsingErrorMessage("{\"rule\" : 123}", "rule doesn't support values of type: VALUE_NUMBER",
+        assertParsingErrorMessage("{\"query\" : 123}", "query doesn't support values of type: VALUE_NUMBER",
             EqlSearchRequest::fromXContent);
 
-        assertParsingErrorMessage("{\"rule\" : \"whatever\", \"size\":\"abc\"}", "failed to parse field [size]",
+        assertParsingErrorMessage("{\"query\" : \"whatever\", \"size\":\"abc\"}", "failed to parse field [size]",
             EqlSearchRequest::fromXContent);
 
-        EqlSearchRequest request = generateRequest("endgame-*", "{\"query\" : {\"match\" : {\"foo\":\"bar\"}}, "
+        EqlSearchRequest request = generateRequest("endgame-*", "{\"filter\" : {\"match\" : {\"foo\":\"bar\"}}, "
             + "\"timestamp_field\" : \"tsf\", "
             + "\"event_type_field\" : \"etf\","
             + "\"implicit_join_key_field\" : \"imjf\","
             + "\"search_after\" : [ 12345678, \"device-20184\", \"/user/local/foo.exe\", \"2019-11-26T00:45:43.542\" ],"
             + "\"size\" : \"101\","
-            + "\"rule\" : \"file where user != 'SYSTEM' by file_path\""
+            + "\"query\" : \"file where user != 'SYSTEM' by file_path\""
             + "}", EqlSearchRequest::fromXContent);
         assertArrayEquals(new String[]{"endgame-*"}, request.indices());
         assertNotNull(request.query());
-        assertTrue(request.query() instanceof MatchQueryBuilder);
-        MatchQueryBuilder query = (MatchQueryBuilder)request.query();
-        assertEquals("foo", query.fieldName());
-        assertEquals("bar", query.value());
+        assertTrue(request.filter() instanceof MatchQueryBuilder);
+        MatchQueryBuilder filter = (MatchQueryBuilder)request.filter();
+        assertEquals("foo", filter.fieldName());
+        assertEquals("bar", filter.value());
         assertEquals("tsf", request.timestampField());
         assertEquals("etf", request.eventTypeField());
         assertEquals("imjf", request.implicitJoinKeyField());
         assertArrayEquals(new Object[]{12345678, "device-20184", "/user/local/foo.exe", "2019-11-26T00:45:43.542"}, request.searchAfter());
         assertEquals(101, request.fetchSize());
-        assertEquals("file where user != 'SYSTEM' by file_path", request.rule());
+        assertEquals("file where user != 'SYSTEM' by file_path", request.query());
     }
 
     private EqlSearchRequest generateRequest(String index, String json, Function<XContentParser, EqlSearchRequest> fromXContent)
diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java
index b89b92057a0..98567a03d4f 100644
--- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java
+++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java
@@ -32,7 +32,7 @@ import static org.elasticsearch.index.query.AbstractQueryBuilder.parseInnerQuery
 public class EqlSearchRequestTests extends AbstractSerializingTestCase<EqlSearchRequest> {
 
     // TODO: possibly add mutations
-    static String defaultTestQuery = "{\n" +
+    static String defaultTestFilter = "{\n" +
         "   \"match\" : {\n" +
         "       \"foo\": \"bar\"\n" +
         "   }" +
@@ -59,15 +59,15 @@ public class EqlSearchRequestTests extends AbstractSerializingTestCase<EqlSearch
     @Override
     protected EqlSearchRequest createTestInstance() {
         try {
-            QueryBuilder query = parseQuery(defaultTestQuery);
+            QueryBuilder filter = parseFilter(defaultTestFilter);
             EqlSearchRequest request = new EqlSearchRequest()
                 .indices(new String[]{defaultTestIndex})
-                .query(query)
+                .filter(filter)
                 .timestampField(randomAlphaOfLength(10))
                 .eventTypeField(randomAlphaOfLength(10))
                 .implicitJoinKeyField(randomAlphaOfLength(10))
                 .fetchSize(randomIntBetween(1, 50))
-                .rule(randomAlphaOfLength(10));
+                .query(randomAlphaOfLength(10));
 
             if (randomBoolean()) {
                 request.searchAfter(randomJsonSearchFromBuilder());
@@ -79,12 +79,12 @@ public class EqlSearchRequestTests extends AbstractSerializingTestCase<EqlSearch
         return null;
     }
 
-    protected QueryBuilder parseQuery(String queryAsString) throws IOException {
-        XContentParser parser = createParser(JsonXContent.jsonXContent, queryAsString);
-        return parseQuery(parser);
+    protected QueryBuilder parseFilter(String filter) throws IOException {
+        XContentParser parser = createParser(JsonXContent.jsonXContent, filter);
+        return parseFilter(parser);
     }
 
-    protected QueryBuilder parseQuery(XContentParser parser) throws IOException {
+    protected QueryBuilder parseFilter(XContentParser parser) throws IOException {
         QueryBuilder parseInnerQueryBuilder = parseInnerQueryBuilder(parser);
         assertNull(parser.nextToken());
         return parseInnerQueryBuilder;