Skip to main content

Responses are generated using AI and may contain mistakes.

Correlation RulesCorrelation Rules Guide

Correlation Rule Sequences

Sequences are the building blocks for rule logic that define the events and conditions that trigger a correlation rule.

A sequence is the component of a correlation rule that defines which events trigger the rule and the condition the events must satisfy for the rule to trigger. The first step in building a correlation rule is creating a sequence.

To create a sequence, first search for events on which your rule triggers. Searching for events is similar to Search. You can choose to build a search or type one out, you use the same syntax when typing a search, and you can select recent and saved searches. After you define events of interest, you define the conditions that the events must meet.

If the rule triggers on a set of related events, define multiple sequences. The condition of all sequences must be satisfied for the rule to trigger. For example, to detect a brute force attempt, define the first sequence as a certain number of failed log-on events from an external IP address within five seconds and the second sequence as a successful log-on event from the same external IP address within 30 minutes. Sequences can be ordered, so sequences and their conditions must be satisfied in a specific order for the rule to trigger; or unordered, so all sequences and their conditions can be satisfied in any order for the rule to trigger.

To prevent a rule from over-triggering, Correlation Rules automatically disables a rule if If events satisfy the conditions of any sequence more than 500 times in five minutes. Correlation Rules also automatically disables a rule if the rule triggers more than 50 times in five minutes.

By default, you can enable up to 200 sequences.