[DOCS] Update runs syntax (#78922)

Updates the EQL syntax docs for PR #78895.
elastic · Oct 11, 2021 · e7ab7c8 · e7ab7c8
1 parent 11840f0
commit e7ab7c8
Showing 1 changed file with 8 additions and 9 deletions.
diff --git a/docs/reference/eql/syntax.asciidoc b/docs/reference/eql/syntax.asciidoc
@@ -695,17 +695,17 @@ until [ process where event.type == "stop" ]
 ====
 
 [discrete]
-[[eql-runs-keyword]]
-=== `runs` keyword
+[[eql-with-runs-statement]]
+=== `with runs` statement
 
-Use a `runs` statement to run the same event criteria successively within a
+Use a `with runs` statement to run the same event criteria successively within a
 sequence query. For example:
 
 [source,eql]
 ----
 sequence
   [ process where event.type == "creation" ]
-  [ library where process.name == "regsvr32.exe" ] [runs=3]
+  [ library where process.name == "regsvr32.exe" ] with runs=3
   [ registry where true ]
 ----
 
@@ -721,17 +721,16 @@ sequence
   [ registry where true ]
 ----
 
-A `runs` statement must be enclosed in square brackets (`[ ]`). The `runs` value
-must be between `1` and `100` (inclusive).
+The `runs` value must be between `1` and `100` (inclusive).
 
-You can use a `runs` statement with the <<eql-by-keyword,`by` keyword>>. For
-example:
+You can use a `with runs` statement with the <<eql-by-keyword,`by` keyword>>.
+For example:
 
 [source,eql]
 ----
 sequence
   [ process where event.type == "creation" ] by process.executable
-  [ library where process.name == "regsvr32.exe" ] by dll.path [runs=3]
+  [ library where process.name == "regsvr32.exe" ] by dll.path with runs=3
 ----
 
 [discrete]