funnel

Analyze conversion through sequential steps. Track user journeys and attack progressions.

Description

The funnel command analyzes how entities progress through a series of ordered steps within a time window. It calculates conversion rates between steps, identifying where entities drop off or complete the full sequence.

This is useful for analyzing user workflows, attack kill chains, and multi-stage processes.

Syntax

... | funnel by <field> [, <field> ...] window=<duration> step1=<expr> step2=<expr> [step3=<expr> ...]

Required Arguments

by
Fields to partition by (e.g., session_id, user, src_ip)

window
Syntax: window=<duration>
Description: Maximum time to complete all steps

steps
Syntax: step1=<expr> step2=<expr> ...
Description: Ordered steps with search expressions

Examples

* | funnel by user window=1h
    step1=(action="login")
    step2=(action="file_access")
    step3=(action="data_export")

Attack kill chain

* | funnel by src_ip window=24h
    step1=(action="reconnaissance")
    step2=(action="initial_access")
    step3=(action="execution")
    step4=(action="persistence")
    step5=(action="exfiltration")

User onboarding

* | funnel by user window=7d
    step1=(action="account_created")
    step2=(action="first_login")
    step3=(action="profile_completed")
    step4=(action="first_transaction")

Phishing campaign

* | funnel by user window=48h
    step1=(action="email_received" subject CONTAINS "urgent")
    step2=(action="email_opened")
    step3=(action="link_clicked")
    step4=(action="credentials_entered")

API workflow

* | funnel by session_id window=5m
    step1=(endpoint="/api/auth")
    step2=(endpoint="/api/user/profile")
    step3=(endpoint="/api/data/query")

Malware execution chain

* | funnel by src_host window=30m
    step1=(action="file_download" file_type="executable")
    step2=(action="file_execution")
    step3=(action="registry_modification")
    step4=(action="network_connection")

Usage Notes

Conversion rates: Output includes count and percentage for each step.

Drop-off analysis: Identifies where entities fail to progress.

Order required: Steps must occur in specified order within time window.

Partial completion: Entities completing some but not all steps are tracked.

Output Fields

step_name - Name of the step
count - Number of entities reaching this step
percentage - Percentage of initial entities
conversion_rate - Percentage from previous step

sequence - Detect ordered patterns
transaction - Group related events
stats - Aggregate funnel results

funnel

On this page