[DOCS] EQL: Document wildcard function (#54086)

jrodewig · web-flow · commit 33dc417bd024 · 2020-04-10T09:17:41.000-04:00
diff --git a/docs/reference/eql/functions.asciidoc b/docs/reference/eql/functions.asciidoc
@@ -13,6 +13,7 @@ experimental::[]
 * <<eql-fn-length>>
 * <<eql-fn-startswith>>
 * <<eql-fn-substring>>
+* <<eql-fn-wildcard>>
 
 [discrete]
 [[eql-fn-between]]
@@ -389,4 +390,70 @@ function returns the remaining string.
 Positions are zero-indexed. Negative offsets are supported.
 
 *Returns:* string
+====
+
+[discrete]
+[[eql-fn-wildcard]]
+=== `wildcard`
+Returns `true` if a source string matches one or more provided wildcard
+expressions.
+
+[%collapsible]
+====
+*Example*
+[source,eql]
+----
+// The two following expressions are equivalent.
+process.name == "*regsvr32*" or process.name == "*explorer*"
+wildcard(process.name, "*regsvr32*", "*explorer*")
+
+// process.name = "regsvr32.exe"
+wildcard(process.name, "*regsvr32*")                // returns true
+wildcard(process.name, "*regsvr32*", "*explorer*")  // returns true
+wildcard(process.name, "*explorer*")                // returns false
+wildcard(process.name, "*explorer*", "*scrobj*")    // returns false
+
+// empty strings
+wildcard("", "*start*")                             // returns false
+wildcard("", "*")                                   // returns true
+wildcard("", "")                                    // returns true
+
+// null handling
+wildcard(null, "*regsvr32*")                        // returns null
+wildcard(process.name, null)                        // returns null
+----
+
+*Syntax*
+
+[source,txt]
+----
+wildcard(<source>, <wildcard_exp>[, ...])
+----
+
+*Parameters*
+
+`<source>`::
++
+--
+(Required, string)
+Source string. If `null`, the function returns `null`.
+
+If using a field as the argument, this parameter only supports the following
+field datatypes:
+
+* <<keyword,`keyword`>>
+* <<constant-keyword,`constant_keyword`>>
+* <<text,`text`>> field with a <<keyword,`keyword`>> or
+  <<constant-keyword,`constant_keyword`>> sub-field
+--
+
+`<wildcard_exp>`::
++
+--
+(Required{multi-arg}, string)
+Wildcard expression used to match the source string. If `null`, the function
+returns `null`. Fields are not supported as arguments.
+-- 
+
+*Returns:* boolean
 ====
