Hrm. IIRC this is an evented table basically identical to the way file events works. We describe that one as Track time/action changes to files specified in configuration data

I'm a little leery of "historical" since evented tables don't really store history. (Well, they might. But usually they drop it after it's queried)

Hmmmm ok... it sounds like these evented tables work differently from what I understand. I will need to read up on them a bit more.

I reverted this change. How about just merging the explanation for the yara table?

It's sorta "historical". Evented tables store events, and then usually purge them out when queried. Generally they're not good for thigns like "show me last tuesday", they're for things like "how do I capture all the processing that are running, since some are shorter lived than my query interval"

Well, this has caused me to look at how things work. And while I agree your language is an improvement, I think we can be better.

1. I don't think this uses pids at all.
2. track isn't right, but I don't know if fetch is right either. It triggers an on-demand yara scan. (Like if you queried for a hash, it's not fetching the hash, per se, it's generating it)
3. It's not listed here, but at least one of sig_groups, sigfile, or sigrule must be specified. I don't know if you'd like to add that.

Updated the language! WDYT?