sequence

Use this command to search for log record patterns within the groups identified by the link command.

Syntax

sequence name = <name> [<sequence_options>] <match_rules> select <output_fields>

Parameters

The following table lists the parameters used with this command, along with their descriptions.

Parameter Description

name

Sequence display name

sequence_options

Syntax: [field = <field_name>][span = <int><timescale>] [maxpause = <int><timescale>]

  • field: Timestamp field to sort the log records. If not specified, Time is used.
  • span: Length of time to search for the matching log records
  • maxpause: Maximum distance between two log records when performing match
  • timescale: <sec> | <min> | <hour> | <day> | <week> | <mon>

    sec: Permitted values for this parameter include s, sec, secs, second, and seconds.

    min: Permitted values for this parameter include m, min, mins, minute, or minutes.

    hour: Permitted values for this parameter include h, hr, hrs, hour, and hours.

    week: Permitted values for this parameter include w, week, and weeks.

    month: Permitted values for this parameter include mon, month, and months.

match_rules

Syntax: <match_rule> [then <match_rule> ...] | between <match_rule> and <match_rule>

match_rule: <subquery> { <min_match> [,<max_match>] }

  • subquery: Subquery to match the log records
  • min_match: Minimum number of matches
  • max_match: Maximum number of matches

output_fields

The fields to return in the result

Syntax: <field_name> [as <new_name>]

The following command searches for 5 or more failed logins followed by 1 or more successful logins:

* | link Entity
  | sequence name = 'Security Event' span = 5min [ 'Security Result' = failure ]{5,} then [ 'Security Result' = success ]{1,} select 'Source IP Address'

The following command returns session details between two events:

* | link Account
  | sequence name = 'User Session' between [ Action = login ]{1,} and [ Action = logout ]{1,} select Action, Entity