Sequencing support

[pcoccoli]

Is your feature request related to a problem? Please describe.
There's no explicit way to express a sequential pattern (e.g. search for X followed by Y). STIX patterning actually supports sequencing (though stix-shifter doesn't) via FOLLOWEDBY. This is somewhat related to #466.

Describe the solution you'd like
I think adopting STIX's FOLLOWEDBY (and more liberally FOLLOWED BY) makes the most sense. Consider the elasticsearch EQL example in #466:

sequence by related.host, process.entity_id with maxspan=10m
    [process where process.command_line like~ ...]
    [process where process.command_line like~ ...]

This is comparable to what you can do with STIX patterning:

([process:command_line LIKE ...] FOLLOWEDBY [process:command_line LIKE ...]) WITHIN ... SECONDS

The correlation part (sequence by ...) can't be epxressed in STIX patterns, but that's what #466 is about.

A WHERE clause is currently defined as "WHERE"i ecg_pattern - that could be extended to optionally have "FOLLOWEDBY"i ecg_pattern after it, so one could write:

p = GET process FROM ...
    WHERE command_line LIKE ...
    FOLLOWED BY command_line LIKE ...

p would be an entity list of all process objects that match either pattern.

Describe alternatives you've considered
I don't have another suggestion at the moment.

Additional context
Article about EQL sequencing: https://www.linkedin.com/pulse/eql-search-elastic-siem-detection-rules-alessandro-brofferio/