The Sequence context finds event patterns in traffic by keeping track of whether all events in the defined set of Situations match in a specific order within the defined time period.
The Sequence context has a table you can use to define, in order from left to right, the events that comprise a sequence. This context allows detecting events such as when a request from a client triggers one pattern and the response from a server triggers a second pattern.
The table has gray and white cells; white cells must be filled, gray cells are left empty. If you would like to match events regardless of the order in which they occur, use the Group context instead.
For more details about the product and how to configure features, click Help or
press F1.
Steps
-
Double-click the Event Match cell and define a local filter.
-
Double-click the Event Binding field and select the Event Binding that defines the set of log events to match.
-
Click Add Event Before or Add Event After to add more Event rows.
- Define the Event Match for each row.
- Define the Event Binding for each row.
-
When you are finished defining the sequence, drag and drop the relevant Situations in the Correlated Situations field below the table.
-
Select whether you want to Keep and Forward Events.
-
Enter the Time Window Size in seconds. All events must occur during this length of time for the Correlation Situation to match.
-
Select one of the following options as the Usage Context:
- Engine and Log Server.
- Log Server Only.
Note: If you select a Usage Context that does not include the Log Server, events only match if they are all detected by the same NGFW Engine or NGFW Engine Cluster.