Sequence Operation

Sequence rules are similar to gate rules, except that all child rules must fire in time order for the sequenced rule to evaluate to true.

The subrules may be a simple rule or another composite rule.

The syntax for sequence is:

Sequence(<subrule 1 rulelg>, <subrule 2 rulelg>…<subrule n ruleLg>, <evaluation period>, discriminator(<list of metatags>))

Where

Subrule Rulelgs are the rulelg definitions for 1 to n subrules

<evaluation period> is a time period expressed in seconds (s), minutes (m), or hours (h)

discriminator is a field to group by

For example, this rule detects three failed logins by a particular user in 10 minutes followed by a successful login by same user.

sequence (filter(e.evt="failed logins") flow trigger(3, 600, discriminator(e.sun,e.dip)), filter(e.evt="goodlogin"), 600, discriminator(e.sun, e.dip))