How to create sequence rules?

VellayLoket · June 7, 2023, 4:39am

So, i want to create the sequence rules to aggregate the same events to one alert.
For example i have event from IDS system where i have fields like:
client.ip
cs1 - the category name ("malware activity" or smth like this)

So, how to sequense event with the same client.ip and cs1 fileds to one alert?
I had try this, but i got error:

sequence by client.ip
[detect where cs1 == "trojan-activity"]

line 2:40: mismatched input '' expecting '['

system · July 5, 2023, 4:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Detection of a behavior preceded or followed by an event type Elastic Security detection-rules	2	539	September 20, 2021
Creating alert when event didn't occur Elastic Security detection-rules	6	904	September 21, 2021
Group identical alerts in Elastic Security [7.14.2] Elastic Security detection-rules	1	411	December 2, 2021
Correlating/Matching data from 2 sources with diferent field types Elastic Security	3	274	January 10, 2024
Event correlation rule for new user creation Elastic Agent elastic-stack-security	1	243	October 3, 2022

How to create sequence rules?

Related Topics