Commit Graph

8 Commits

Author SHA1 Message Date
James Rodewig 21d5236173 [DOCS] EQL: Style fixes 2020-09-21 19:44:21 -04:00
James Rodewig 00bfc2d684
[7.x] [DOCS] EQL: Improve regsvr32 misuse explanation (#62722) (#62738)
* [DOCS] EQL: Improve regsvr32 misuse explanation (#62722)

Expands the introduction to better explain what regsvr32 misuse is and
how it works at a high level.

* [DOCS] EQL: Style fixes
2020-09-21 19:02:10 -04:00
James Rodewig f347f0207f
[DOCS] EQL: Use consistent string notation (#62472) (#62477) 2020-09-16 11:43:37 -04:00
Costin Leau bff3c7470e
EQL: Replace SearchHit in response with Event (#61428) (#61522)
The building block of the eql response is currently the SearchHit. This
is a problem since it is tied to an actual search, and thus has scoring,
highlighting, shard information and a lot of other things that are not
relevant for EQL.
This becomes a problem when doing sequence queries since the response is
not generated from one search query and thus there are no SearchHits to
speak of.
Emulating one is not just conceptually incorrect but also problematic
since most of the data is missed or made-up.

As such this PR introduces a simple class, Event, that maps nicely to
the terminology while hiding the ES internals (the use of SearchHit or
GetResult/GetResponse depending on the API used).

Fix #59764
Fix #59779

Co-authored-by: Igor Motov <igor@motovs.org>
(cherry picked from commit 997376fbe6ef2894038968842f5e0635731ede65)
2020-08-25 17:32:42 +03:00
James Rodewig 039b306e7d
[DOCS] Fix EQL threat detection example (#61367) (#61373) 2020-08-20 10:45:01 -04:00
Andrei Stefan 5de0f19cc3
EQL: Return sequence join keys in the original type (#61268) (#61282)
(cherry picked from commit d54957d61faa0d502387656e3cace594017b6ea0)
2020-08-18 19:37:15 +03:00
James Rodewig 290adcd25e [DOCS] Reword in EQL threat detection example 2020-08-14 15:50:58 -04:00
James Rodewig 3fef26bfb0
[DOCS] EQL: Add threat detection example (#59105) (#61161) 2020-08-14 13:40:44 -04:00