So, i want to create the sequence rules to aggregate the same events to one alert.
For example i have event from IDS system where i have fields like:
client.ip
cs1 - the category name ("malware activity" or smth like this)
So, how to sequense event with the same client.ip and cs1 fileds to one alert?
I had try this, but i got error:
sequence by client.ip
[detect where cs1 == "trojan-activity"]
line 2:40: mismatched input '' expecting '['