nano SIEM
Search Commands

sequence

sequence

Detect ordered event patterns. Identify multi-stage attacks, user workflows, and suspicious activity chains.

Description

The sequence command detects when events occur in a specific order within a time window. This is essential for identifying attack chains, credential abuse patterns, and multi-step processes.

Unlike transaction which groups any related events, sequence requires events to match specific conditions in order.

Syntax

... | sequence by <field> [, <field> ...] [maxspan=<duration>] [fields(<field1>, <field2>, ...)] [<condition1>] [<condition2>] ...

Required Arguments

by Fields to partition by (e.g., src_ip, user). Sequences are detected separately for each unique combination.

conditions Ordered list of search expressions in square brackets. Events must match these in sequence. Supports:

  • Field comparisons: [action="login"]
  • Wildcards: [uri_path="*.exe"]
  • Regex with flags: [url_domain=/file[-_]?(upload|share)/i]
  • Complex conditions: [action="login" AND status="fail"]

Optional Arguments

maxspan Syntax: maxspan=<duration> Description: Maximum time between first and last event in sequence. Supports s (seconds), m (minutes), h (hours), d (days). Example: maxspan=5m, maxspan=1h, maxspan=24h

fields Syntax: fields(<field1>, <field2>, ...) Description: Additional fields to capture from each step's matching event. Useful for analyst review. Example: fields(message, url, bytes_out)

Output Fields

The sequence command returns rich output for analyst investigation:

FieldDescription
<group_by_fields>The partition fields (e.g., user, src_ip)
step1_time, step2_time, ...Timestamp of first matching event for each step
step1_event_id, step2_event_id, ...Event ID for drill-down to full event details
step1_<field>, step2_<field>, ...Auto-captured fields from conditions + user-specified fields
sequence_duration_secondsTime elapsed between first and last step
sequence_countNumber of times this entity completed the sequence
maxspan_secondsThe maxspan value (if specified)

Examples

Failed logins followed by success (Credential Stuffing)

source_type="auth_logs"
| sequence by user, src_ip maxspan=5m
    [action="login" status="failure"]
    [action="login" status="success"]

Suspicious file download from file sharing site

source_type="squid_proxy"
| sequence by user, src_ip maxspan=5m
    fields(message, url)
    [url_domain=/file[-_]?(upload|share|drop|transfer|send)/i]
    [uri_path=/\.(exe|scr|bat|cmd|ps1|vbs|js|hta|msi|dll)$/i]

Reconnaissance to exploitation

* | sequence by src_ip maxspan=1h
    fields(dest_ip, dest_port)
    [action="port_scan"]
    [action="vulnerability_probe"]
    [action="exploit_attempt"]

Privilege escalation chain

* | sequence by user, src_host maxspan=30m
    fields(process_name, command_line)
    [action="login" user_type="standard"]
    [action="privilege_escalation"]
    [action="admin_command"]

Data exfiltration pattern

* | sequence by src_ip maxspan=2h
    fields(file_path, bytes_out, dest_ip)
    [action="file_access" file_path="*confidential*"]
    [action="compression" OR action="archive"]
    [dest_ip!="10.*" AND dest_ip!="192.168.*"]

Lateral movement detection

* | sequence by user maxspan=1h
    fields(src_ip, dest_host, auth_type)
    [action="login" src_host=/workstation.*/i]
    [action="login" src_host=/server.*/i]
    [action="file_access" dest_host=/dc.*/i]

Malware download and execution

source_type="endpoint"
| sequence by src_host maxspan=10m
    fields(url, file_path, process_name, command_line)
    [action="file_download" uri_path="*.exe"]
    [action="file_write" file_path="/tmp/*" OR file_path="*\\Temp\\*"]
    [action="process_create"]

Credential dumping (LSASS access)

* | sequence by src_host maxspan=15m
    fields(process_name, parent_command_line, file_path, dest_ip)
    [process_name="lsass.exe" action="process_access"]
    [action="file_create" file_path="*.dmp"]
    [action="network_connection" dest_port=445]

Phishing to account compromise

* | sequence by user maxspan=24h
    fields(subject, url, src_ip)
    [action="email_open" subject=/urgent|verify|suspended/i]
    [action="link_click" url_domain!="company.com"]
    [action="credential_submit"]
    [action="login" status="success"]

Proxy policy bypass attempts

source_type="squid_proxy"
| sequence by user, url_domain maxspan=10m
    fields(status_code, url, message)
    [status_code>=400]
    [status_code<400]

Usage Notes

Lookback Configuration

When using sequence in detection rules, set lookback >= maxspan:

  • maxspan=5m → lookback of 5-10 minutes
  • maxspan=1h → lookback of 1-2 hours
  • maxspan=24h → lookback of 24-48 hours

If lookback is shorter than maxspan, you'll miss sequences where earlier steps occurred outside the lookback window.

Regex Support

Conditions support regex with flags:

  • /pattern/ - Basic regex
  • /pattern/i - Case-insensitive
  • /file[-_]?share/i - Character classes and quantifiers work inside brackets

Field Auto-Capture

Fields referenced in conditions are automatically captured. For example:

[action="login" status="failure"]

Will automatically capture step1_action and step1_status in the output.

Use fields(...) to capture additional fields not in conditions:

fields(message, src_ip, user_agent)

Performance Considerations

  • Partition wisely: More unique by field combinations = more memory usage
  • Time bounds: Shorter maxspan values are more efficient
  • Step count: Each additional step increases query complexity
  • Use specific conditions: Broad conditions like [action="*"] are expensive

Order Matters

Events must occur in the exact order specified. The sequence:

[action="A"] [action="B"] [action="C"]

Will NOT match if events occur as A → C → B.

Partial Matches

Only complete sequences are returned. If a user has events matching steps 1 and 2 but not step 3, they won't appear in results.

Detection Rule Example

Full YAML detection rule using sequence:

name: credential_stuffing_attack
description: |
  Detects credential stuffing pattern: multiple failed logins
  followed by successful login from same IP.
author: security-team
severity: high
mode: staging

mitre_tactics:
  - credential_access
  - initial_access
mitre_techniques:
  - T1110.001  # Brute Force: Password Guessing
  - T1078      # Valid Accounts

tags:
  - authentication
  - brute_force

query: |
  source_type="auth_logs"
  | sequence by user, src_ip maxspan=5m
      fields(user_agent, auth_type)
      [action="login" status="failure"]
      [action="login" status="failure"]
      [action="login" status="success"]

narrative: |
  This rule detects a common credential stuffing pattern:

  1. Attacker tries credentials (fails)
  2. Attacker tries again (fails)
  3. Attacker succeeds with valid credentials

  Investigate:
  - Is this IP known to the user?
  - Check user_agent for automation signatures
  - Review what the user accessed after login
  • transaction - Group related events (unordered)
  • streamstats - Track event sequences with running calculations
  • funnel - Analyze conversion through sequential steps
  • anomaly - Detect statistical outliers

sample

Previous Page

sort

Next Page

Edit this page on GitHub
On this page

On this page

sequence
Description
Syntax
Required Arguments
Optional Arguments
Output Fields
Examples
Failed logins followed by success (Credential Stuffing)
Suspicious file download from file sharing site
Reconnaissance to exploitation
Privilege escalation chain
Data exfiltration pattern
Lateral movement detection
Malware download and execution
Credential dumping (LSASS access)
Phishing to account compromise
Proxy policy bypass attempts
Usage Notes
Lookback Configuration
Regex Support
Field Auto-Capture
Performance Considerations
Order Matters
Partial Matches
Detection Rule Example
Related Commands