[DOCS] Make EQL example snippets more realistic (#60971) (#60975)

Author: jrodewig

docs/build.gradle

@@ -211,17 +211,17 @@ buildRestTests.setups['sec_logs'] = '''
           refresh: true
           body: |
             {"index":{}}
-            {"@timestamp": "2020-12-06T11:04:05.000Z", "event": { "category": "process", "id": "edwCRnyD", "sequence": 1 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" }}
+            {"@timestamp": "2099-12-06T11:04:05.000Z", "event": { "category": "process", "id": "edwCRnyD", "sequence": 1 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" }}
             {"index":{}}
-            {"@timestamp": "2020-12-06T11:04:07.000Z", "event": { "category": "file", "id": "dGCHwoeS", "sequence": 2 }, "file": { "accessed": "2020-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\\\Windows\\\\System32\\\\cmd.exe", "type": "file", "size": 16384 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" }}
+            {"@timestamp": "2099-12-06T11:04:07.000Z", "event": { "category": "file", "id": "dGCHwoeS", "sequence": 2 }, "file": { "accessed": "2099-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\\\Windows\\\\System32\\\\cmd.exe", "type": "file", "size": 16384 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" }}
             {"index":{}}
-            {"@timestamp": "2020-12-07T11:06:07.000Z", "event": { "category": "process", "id": "cMyt5SZ2", "sequence": 3 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" } }
+            {"@timestamp": "2099-12-07T11:06:07.000Z", "event": { "category": "process", "id": "cMyt5SZ2", "sequence": 3 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" } }
             {"index":{}}
-            {"@timestamp": "2020-12-07T11:07:08.000Z", "event": { "category": "file", "id": "bYA7gPay", "sequence": 4 }, "file": { "accessed": "2020-12-07T11:07:08.000Z", "name": "cmd.exe", "path": "C:\\\\Windows\\\\System32\\\\cmd.exe", "type": "file", "size": 16384 }, "process": { "pid": 2012, "name": "cmd.exe", "executable": "C:\\\\Windows\\\\System32\\\\cmd.exe" } }
+            {"@timestamp": "2099-12-07T11:07:09.000Z", "event": { "category": "process", "id": "aR3NWVOs", "sequence": 4 }, "process": { "pid": 2012, "name": "regsvr32.exe", "command_line": "regsvr32.exe  /s /u /i:https://...RegSvr32.sct scrobj.dll", "executable": "C:\\\\Windows\\\\System32\\\\regsvr32.exe" }}
             {"index":{}}
-            {"@timestamp": "2020-12-07T11:07:09.000Z", "event": { "category": "process", "id": "aR3NWVOs", "sequence": 5 }, "process": { "pid": 2012, "name": "regsvr32.exe", "executable": "C:\\\\Windows\\\\System32\\\\regsvr32.exe" }}
+            {"@timestamp": "2099-12-07T11:07:10.000Z", "event": { "category": "file", "id": "tZ1NWVOs", "sequence": 5 }, "process": { "pid": 2012, "name": "regsvr32.exe", "executable": "C:\\\\Windows\\\\System32\\\\regsvr32.exe" }, "file": { "path": "C:\\\\Windows\\\\System32\\\\scrobj.dll", "name": "scrobj.dll" }}
             {"index":{}}
-            {"@timestamp": "2020-12-07T11:07:10.000Z", "event": { "category": "process", "id": "GTSmSqgz0U", "sequence": 6, "type": "termination" }, "process": { "pid": 2012, "name": "regsvr32.exe", "executable": "C:\\\\Windows\\\\System32\\\\regsvr32.exe" }}'''
+            {"@timestamp": "2099-12-07T11:07:10.000Z", "event": { "category": "process", "id": "GTSmSqgz0U", "sequence": 6, "type": "termination" }, "process": { "pid": 2012, "name": "regsvr32.exe", "executable": "C:\\\\Windows\\\\System32\\\\regsvr32.exe" }}'''
 
 buildRestTests.setups['host'] = '''
   # Fetch the http host. We use the host of the master because we know there will always be a master.

docs/reference/eql/eql-search-api.asciidoc

@@ -490,17 +490,17 @@ Original JSON body passed for the event at index time.
 ===== Basic query example
 
 The following EQL search request searches for events with an `event.category` of
-`file` that meet the following conditions:
+`process` that meet the following conditions:
 
-* A `file.name` of `cmd.exe`
+* A `process.name` of `cmd.exe`
 * An `process.pid` other than `2013`
 
 [source,console]
 ----
 GET /my-index-000001/_eql/search
 {
   "query": """
-    file where (file.name == "cmd.exe" and process.pid != 2013)
+    process where (process.name == "cmd.exe" and process.pid != 2013)
   """
 }
 ----
@@ -532,52 +532,38 @@ the events in ascending, lexicographic order.
       {
         "_index": "my-index-000001",
         "_type": "_doc",
-        "_id": "fwGeywNsBl8Y9Ys1x51b",
+        "_id": "babI3XMBI9IjHuIqU0S_",
         "_score": null,
         "_source": {
-          "@timestamp": "2020-12-06T11:04:07.000Z",
+          "@timestamp": "2099-12-06T11:04:05.000Z",
           "event": {
-            "category": "file",
-            "id": "dGCHwoeS",
-            "sequence": 2,
-          },
-          "file": {
-            "accessed": "2020-12-07T11:07:08.000Z",
-            "name": "cmd.exe",
-            "path": "C:\\Windows\\System32\\cmd.exe",
-            "type": "file",
-            "size": 16384
+            "category": "process",
+            "id": "edwCRnyD",
+            "sequence": 1
           },
           "process": {
+            "pid": 2012,
             "name": "cmd.exe",
-            "executable": "C:\\Windows\\System32\\cmd.exe",
-            "pid": 2012
+            "executable": "C:\\Windows\\System32\\cmd.exe"
           }
         }
       },
       {
         "_index": "my-index-000001",
         "_type": "_doc",
-        "_id": "AtOJ4UjUBAAx3XR5kcCM",
+        "_id": "b6bI3XMBI9IjHuIqU0S_",
         "_score": null,
         "_source": {
-          "@timestamp": "2020-12-07T11:07:08.000Z",
+          "@timestamp": "2099-12-07T11:06:07.000Z",
           "event": {
-            "category": "file",
-            "id": "bYA7gPay",
-            "sequence": 4
-          },
-          "file": {
-            "accessed": "2020-12-07T11:07:08.000Z",
-            "name": "cmd.exe",
-            "path": "C:\\Windows\\System32\\cmd.exe",
-            "type": "file",
-            "size": 16384
+            "category": "process",
+            "id": "cMyt5SZ2",
+            "sequence": 3
           },
           "process": {
+            "pid": 2012,
             "name": "cmd.exe",
-            "executable": "C:\\Windows\\System32\\cmd.exe",
-            "pid": 2012
+            "executable": "C:\\Windows\\System32\\cmd.exe"
           }
         }
       }
@@ -586,8 +572,8 @@ the events in ascending, lexicographic order.
 }
 ----
 // TESTRESPONSE[s/"took": 6/"took": $body.took/]
-// TESTRESPONSE[s/"_id": "fwGeywNsBl8Y9Ys1x51b"/"_id": $body.hits.events.0._id/]
-// TESTRESPONSE[s/"_id": "AtOJ4UjUBAAx3XR5kcCM"/"_id": $body.hits.events.1._id/]
+// TESTRESPONSE[s/"_id": "babI3XMBI9IjHuIqU0S_"/"_id": $body.hits.events.0._id/]
+// TESTRESPONSE[s/"_id": "b6bI3XMBI9IjHuIqU0S_"/"_id": $body.hits.events.1._id/]
 
 [[eql-search-api-sequence-ex]]
 ===== Sequence query example
@@ -651,49 +637,50 @@ shared `process.pid` value for each matching event.
             "_type": "_doc",
             "_id": "AtOJ4UjUBAAx3XR5kcCM",
             "_version": 1,
-            "_seq_no": 3,
+            "_seq_no": 1,
             "_primary_term": 1,
             "_score": null,
             "_source": {
-              "@timestamp": "2020-12-07T11:07:08.000Z",
+              "@timestamp": "2099-12-06T11:04:07.000Z",
               "event": {
                 "category": "file",
-                "id": "bYA7gPay",
-                "sequence": 4
+                "id": "dGCHwoeS",
+                "sequence": 2
               },
               "file": {
-                "accessed": "2020-12-07T11:07:08.000Z",
+                "accessed": "2099-12-07T11:07:08.000Z",
                 "name": "cmd.exe",
                 "path": "C:\\Windows\\System32\\cmd.exe",
                 "type": "file",
                 "size": 16384
               },
-              "process": { 
+              "process": {
+                "pid": 2012,
                 "name": "cmd.exe",
-                "executable": "C:\\Windows\\System32\\cmd.exe",
-                "pid": 2012
+                "executable": "C:\\Windows\\System32\\cmd.exe"
               }
             }
           },
           {
             "_index": "my-index-000001",
             "_type": "_doc",
-            "_id": "yDwnGIJouOYGBzP0ZE9n",
+            "_id": "OQmfCaduce8zoHT93o4H",
             "_version": 1,
-            "_seq_no": 4,
+            "_seq_no": 3,
             "_primary_term": 1,
             "_score": null,
             "_source": {
-              "@timestamp": "2020-12-07T11:07:09.000Z",
+              "@timestamp": "2099-12-07T11:07:09.000Z",
               "event": {
                 "category": "process",
                 "id": "aR3NWVOs",
-                "sequence": 5
+                "sequence": 4
               },
-              "process": { 
+              "process": {
+                "pid": 2012,
                 "name": "regsvr32.exe",
-                "executable": "C:\\Windows\\System32\\regsvr32.exe",
-                "pid": 2012
+                "command_line": "regsvr32.exe  /s /u /i:https://...RegSvr32.sct scrobj.dll",
+                "executable": "C:\\Windows\\System32\\regsvr32.exe"
               }
             }
           }
@@ -705,4 +692,4 @@ shared `process.pid` value for each matching event.
 ----
 // TESTRESPONSE[s/"took": 6/"took": $body.took/]
 // TESTRESPONSE[s/"_id": "AtOJ4UjUBAAx3XR5kcCM"/"_id": $body.hits.sequences.0.events.0._id/]
-// TESTRESPONSE[s/"_id": "yDwnGIJouOYGBzP0ZE9n"/"_id": $body.hits.sequences.0.events.1._id/]
+// TESTRESPONSE[s/"_id": "OQmfCaduce8zoHT93o4H"/"_id": $body.hits.sequences.0.events.1._id/]