elastic · joepeeples · Jun 23, 2022 · Jun 13, 2022 · Jun 13, 2022 · Jun 14, 2022
@@ -413,6 +413,24 @@ must be an {es} date data type.
 
 |==============================================
 
+[[opt-fields-eql-create]]
+===== Optional fields for event correlation rules
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|event_category_field |String
+|Contains the event classification, such as `process`, `file`, or `network`. This field is typically mapped as a field type in the {ref}/keyword.html[keyword family]. Defaults to the `event.category` ECS field.
+
+|tiebreaker_field |String
+|Sets a secondary field for sorting events (in ascending, lexicographic order) if they have the same timestamp.
+
+|timestamp_field |String
+|Contains the event timestamp used for sorting a sequence of events. This is different from `timestamp_override`, which is used for querying events within a range. Defaults to the `@timestamp` ECS field.
+
+|==============================================
+
 [[actions-object-schema]]
 ===== `actions` schema
 

@@ -329,6 +329,24 @@ must be an {es} date data type.
 
 |==============================================
 
+[[opt-fields-eql-update]]
+===== Optional fields for EQL rules
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|event_category_field |String
+|Contains the event classification, such as `process`, `file`, or `network`. This field is typically mapped as a field type in the {ref}/keyword.html[keyword family]. Defaults to the `event.category` ECS field.
+
+|tiebreaker_field |String
+|Sets a secondary field for sorting events (in ascending, lexicographic order) if they have the same timestamp.
+
+|timestamp_field |String
+|Contains the event timestamp used for sorting a sequence of events. This is different from `timestamp_override`, which is used for querying events within a range. Defaults to the `@timestamp` ECS field.
+
+|==============================================
+
 [[actions-object-schema-update]]
 ===== `actions` schema
 

@@ -180,7 +180,7 @@ network connection:
 +
 ** *Index patterns*: `winlogbeat-*`
 +
-> Winlogbeat ships Windows events to {elastic-sec}.
+Winlogbeat ships Windows events to {elastic-sec}.
 
 ** *EQL query*:
 +
@@ -205,6 +205,11 @@ image::images/eql-rule-query-example.png[]
 +
 NOTE: For sequence events, the {security-app} generates a single alert when all events listed in the sequence are detected. To see the matched sequence events in more detail, you can view the alert in the Timeline, and, if all events came from the same process, open the alert in Analyze Event view.
 +
+. (Optional) Click the EQL settings icon (image:images/eql-settings-icon.png[EQL settings icon,16,16]) to configure additional fields used by {ref}/eql.html#specify-a-timestamp-or-event-category-field[EQL search]:
+  * *Event category field*: Contains the event classification, such as `process`, `file`, or `network`. This field is typically mapped as a field type in the {ref}/keyword.html[keyword family]. Defaults to the `event.category` ECS field.
+  * *Tiebreaker field*: Sets a secondary field for sorting events (in ascending, lexicographic order) if they have the same timestamp.
+  * *Timestamp field*: Contains the event timestamp used for sorting a sequence of events. This is different from the *Timestamp override* advanced setting, which is used for querying events within a range. Defaults to the `@timestamp` ECS field.
++
 . Continue with <<preview-rules, previewing the rule>> (optional) or click *Continue* to <<rule-ui-basic-params, configure basic rule settings>>.
 
 [discrete]