Overview

The sequence method enables you to detect multi-stage attacks by identifying ordered patterns of related events, such as initial access, privilege escalation, and data exfiltration.

You can define a sequence of steps that must occur within a defined time frame and across related entities, such as a user, host, or IP address. Each sequence can combine conditions from multiple logs or signals to identify coordinated activity that might be missed by individual rules.

See Create Rule for instructions on how to configure a sequence rule.

How the sequence method works

Detection logic

Sequence detection evaluates a defined series of steps that represent distinct stages of suspicious behavior. Each step corresponds to:

• A condition such as a threshold on a log query or a signal match
• Transitions that define the order and time constraints between steps

The rule is triggered when all steps occur in the specified order and within the configured time windows.

Linking entities

The sequence of steps can be correlated across users, accounts, IP addresses, and other fields to automatically track linked entities through group by fields. This allows you to follow an attacker’s path across different identities and systems.

Evaluation window

Each transition between steps has a configurable evaluation window that determines how long the rule waits for the next step to occur. For example, a rule might trigger when user login from an unusual location is followed within 20 minutes by a privilege escalation, where the user might have gone from a standard role to an admin role.

Configuration options

When you create a sequence detection rule, you can configure these options:

Limits

• Sequence detection supports up to 10 steps per rule and a total evaluation window of 24 hours.
• Steps must be in a linear sequence.