sequence
Use this command to search for log record patterns within the groups
identified by the link
command.
Syntax
sequence name = <name> [<sequence_options>] <match_rules> select <output_fields>
Parameters
The following table lists the parameters used with this command, along with their descriptions.
Parameter | Description |
---|---|
|
Sequence display name |
|
Syntax:
|
|
Syntax:
|
|
The fields to return in the result Syntax: |
The following command searches for 5 or more failed logins followed by 1 or more successful logins:
* | link Entity
| sequence name = 'Security Event' span = 5min [ 'Security Result' = failure ]{5,} then [ 'Security Result' = success ]{1,} select 'Source IP Address'
The following command returns session details between two events:
* | link Account
| sequence name = 'User Session' between [ Action = login ]{1,} and [ Action = logout ]{1,} select Action, Entity