How to create sequence rules?

So, i want to create the sequence rules to aggregate the same events to one alert.
For example i have event from IDS system where i have fields like:
client.ip
cs1 - the category name ("malware activity" or smth like this)

So, how to sequense event with the same client.ip and cs1 fileds to one alert?
I had try this, but i got error:

sequence by client.ip
[detect where cs1 == "trojan-activity"]

line 2:40: mismatched input '' expecting '['

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.