Sequence rules are similar to gate rules, except that all child rules must fire in time order for the sequenced rule to evaluate to true.
The subrules may be a simple rule or another composite rule.
The syntax for sequence is:
Sequence(<subrule 1 rulelg>, <subrule 2 rulelg> <subrule n ruleLg>, <evaluation period>, discriminator(<list of metatags>))
Where
Subrule Rulelgs are the rulelg definitions for 1 to n subrules
<evaluation period> is a time period expressed in seconds (s), minutes (m), or hours (h)
discriminator is a field to group by
For example, this rule detects three failed logins by a particular user in 10 minutes followed by a successful login by same user.
sequence (filter(e.evt="failed logins") flow trigger(3, 600, discriminator(e.sun,e.dip)), filter(e.evt="goodlogin"), 600, discriminator(e.sun, e.dip))