Support MATCH_RECOGNIZE formatting

commit_hash:a51361a96bfccae4f317752367bad8f0dc155032

Author: zhvv117

yql/essentials/sql/v1/format/sql_format.cpp

@@ -1979,6 +1979,95 @@ friend struct TStaticData;
         }
     }
 
+    void VisitRowPatternRecognitionClause(const TRule_row_pattern_recognition_clause& msg) {
+        VisitToken(msg.GetToken1());
+        VisitToken(msg.GetToken2());
+
+        NewLine();
+        PushCurrentIndent();
+
+        if (msg.HasBlock3()) {
+            Visit(msg.GetBlock3());
+            NewLine();
+        }
+
+        if (msg.HasBlock4()) {
+            Visit(msg.GetBlock4());
+            NewLine();
+        }
+
+        if (msg.HasBlock5()) {
+            const auto& block = msg.GetBlock5().GetRule_row_pattern_measures1();
+            VisitToken(block.GetToken1());
+            NewLine();
+            PushCurrentIndent();
+            const auto& measureList = block.GetRule_row_pattern_measure_list2();
+            Visit(measureList.GetRule_row_pattern_measure_definition1());
+            for (const auto& measureDefinitionBlock : measureList.GetBlock2()) {
+                VisitToken(measureDefinitionBlock.GetToken1());
+                NewLine();
+                Visit(measureDefinitionBlock.GetRule_row_pattern_measure_definition2());
+            }
+            PopCurrentIndent();
+            NewLine();
+        }
+
+        if (msg.HasBlock6()) {
+            Visit(msg.GetBlock6());
+            NewLine();
+        }
+
+        const auto& common = msg.GetRule_row_pattern_common_syntax7();
+        if (common.HasBlock1()) {
+            Visit(common.GetBlock1());
+            NewLine();
+        }
+
+        if (common.HasBlock2()) {
+            Visit(common.GetBlock2());
+        }
+
+        VisitToken(common.GetToken3());
+        VisitToken(common.GetToken4());
+        Visit(common.GetRule_row_pattern5());
+        VisitToken(common.GetToken6());
+        NewLine();
+
+        if (common.HasBlock7()) {
+            const auto& block = common.GetBlock7().GetRule_row_pattern_subset_clause1();
+            VisitToken(block.GetToken1());
+            NewLine();
+            PushCurrentIndent();
+            const auto& subsetList = block.GetRule_row_pattern_subset_list2();
+            Visit(subsetList.GetRule_row_pattern_subset_item1());
+            for (const auto& subsetItemBlock : subsetList.GetBlock2()) {
+                VisitToken(subsetItemBlock.GetToken1());
+                NewLine();
+                Visit(subsetItemBlock.GetRule_row_pattern_subset_item2());
+            }
+            PopCurrentIndent();
+            NewLine();
+        }
+
+        VisitToken(common.GetToken8());
+        NewLine();
+        PushCurrentIndent();
+        const auto& definitionList = common.GetRule_row_pattern_definition_list9();
+        Visit(definitionList.GetRule_row_pattern_definition1());
+        for (const auto& definitionBlock : definitionList.GetBlock2()) {
+            VisitToken(definitionBlock.GetToken1());
+            NewLine();
+            Visit(definitionBlock.GetRule_row_pattern_definition2());
+        }
+        PopCurrentIndent();
+        NewLine();
+
+        PopCurrentIndent();
+        NewLine();
+
+        VisitToken(msg.GetToken8());
+    }
+
     void VisitJoinSource(const TRule_join_source& msg) {
         if (msg.HasBlock1()) {
             Visit(msg.GetBlock1());
@@ -2074,10 +2163,7 @@ friend struct TStaticData;
     void VisitNamedSingleSource(const TRule_named_single_source& msg) {
         Visit(msg.GetRule_single_source1());
         if (msg.HasBlock2()) {
-            const auto& matchRecognize = msg.GetBlock2();
-            //TODO handle MATCH_RECOGNIZE block
-            //https://st.yandex-team.ru/YQL-16186
-            Visit(matchRecognize);
+            Visit(msg.GetBlock2());
         }
         if (msg.HasBlock3()) {
             const auto& block3 = msg.GetBlock3();
@@ -2872,6 +2958,7 @@ TStaticData::TStaticData()
         {TRule_reduce_core::GetDescriptor(), MakePrettyFunctor(&TPrettyVisitor::VisitReduceCore)},
         {TRule_sort_specification_list::GetDescriptor(), MakePrettyFunctor(&TPrettyVisitor::VisitSortSpecificationList)},
         {TRule_select_core::GetDescriptor(), MakePrettyFunctor(&TPrettyVisitor::VisitSelectCore)},
+        {TRule_row_pattern_recognition_clause::GetDescriptor(), MakePrettyFunctor(&TPrettyVisitor::VisitRowPatternRecognitionClause)},
         {TRule_join_source::GetDescriptor(), MakePrettyFunctor(&TPrettyVisitor::VisitJoinSource)},
         {TRule_join_constraint::GetDescriptor(), MakePrettyFunctor(&TPrettyVisitor::VisitJoinConstraint)},
         {TRule_single_source::GetDescriptor(), MakePrettyFunctor(&TPrettyVisitor::VisitSingleSource)},

yql/essentials/sql/v1/format/sql_format_ut.h

@@ -1378,8 +1378,13 @@ USE plato;
 SELECT
     *
 FROM Input MATCH_RECOGNIZE(
-    PATTERN ( A )
-    DEFINE A as A
+    PARTITION BY a, b, c
+    ORDER BY ts
+    MEASURES LAST(B1.ts) AS b1, LAST(B3.ts) AS b3
+    ONE ROW PER MATCH AFTER MATCH SKIP TO NEXT ROW INITIAL
+    PATTERN ( A B2 + B3 )
+    SUBSET U = (C, D), W = (Q, P)
+    DEFINE A as A, B as B
 );
 )",
 R"(PRAGMA FeatureR010 = "prototype";
@@ -1389,7 +1394,26 @@ USE plato;
 SELECT
     *
 FROM
-    Input MATCH_RECOGNIZE (PATTERN (A) DEFINE A AS A)
+    Input MATCH_RECOGNIZE (
+        PARTITION BY
+            a,
+            b,
+            c
+        ORDER BY
+            ts
+        MEASURES
+            LAST(B1.ts) AS b1,
+            LAST(B3.ts) AS b3
+        ONE ROW PER MATCH
+        AFTER MATCH SKIP TO NEXT ROW
+        INITIAL PATTERN (A B2 + B3)
+        SUBSET
+            U = (C, D),
+            W = (Q, P)
+        DEFINE
+            A AS A,
+            B AS B
+    )
 ;
 )"
     }};

yql/essentials/tests/sql/sql2yql/canondata/test_sql_format.test_match_recognize-after_match_skip_past_last_row_/formatted.sql

@@ -16,7 +16,14 @@ $input =
 SELECT
     *
 FROM
-    $input MATCH_RECOGNIZE (ORDER BY
-        CAST(time AS Timestamp)
-    MEASURES FIRST(X.time) AS first_time, LAST(X.time) AS last_time PATTERN (X {2}) DEFINE X AS TRUE)
+    $input MATCH_RECOGNIZE (
+        ORDER BY
+            CAST(time AS Timestamp)
+        MEASURES
+            FIRST(X.time) AS first_time,
+            LAST(X.time) AS last_time
+        PATTERN (X {2})
+        DEFINE
+            X AS TRUE
+    )
 ;

yql/essentials/tests/sql/sql2yql/canondata/test_sql_format.test_match_recognize-alerts-streaming_/formatted.sql

@@ -20,20 +20,41 @@ PRAGMA config.flags("MatchRecognizeStream", "force");
 SELECT
     *
 FROM
-    AS_TABLE($osquery_data) MATCH_RECOGNIZE (ORDER BY
-        CAST(dt AS Timestamp)
-    MEASURES LAST(LOGIN_SUCCESS_REMOTE.host) AS remote_login_host, LAST(LOGIN_SUCCESS_REMOTE.user) AS remote_login_user, LAST(LOGIN_SUCCESS_REMOTE.dt) AS remote_login_dt, LAST(SUSPICIOUS_ACTION_SOON.dt) AS suspicious_action_dt, LAST(SUSPICIOUS_ACTION_TIMEOUT.dt) AS suspicious_action_timeout_dt, FIRST(LOGIN_FAILED_SAME_USER.dt) AS brutforce_begin, FIRST(LOGIN_SUCCESS_SAME_USER.dt) AS brutforce_end, LAST(LOGIN_SUCCESS_SAME_USER.user) AS brutforce_login ONE ROW PER MATCH AFTER MATCH SKIP TO NEXT ROW PATTERN (LOGIN_SUCCESS_REMOTE ANY_ROW1 * (SUSPICIOUS_ACTION_SOON | SUSPICIOUS_ACTION_TIMEOUT) | (LOGIN_FAILED_SAME_USER ANY_ROW2 *) {2,} LOGIN_SUCCESS_SAME_USER) DEFINE LOGIN_SUCCESS_REMOTE AS LOGIN_SUCCESS_REMOTE.ev_type == "login"
-    AND LOGIN_SUCCESS_REMOTE.ev_status == "success"
-    AND LOGIN_SUCCESS_REMOTE.vpn == TRUE
-    AND COALESCE(LOGIN_SUCCESS_REMOTE.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE), ANY_ROW1 AS COALESCE(ANY_ROW1.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE), SUSPICIOUS_ACTION_SOON AS SUSPICIOUS_ACTION_SOON.host == LAST(LOGIN_SUCCESS_REMOTE.host)
-    AND SUSPICIOUS_ACTION_SOON.ev_type == "delete_all"
-    AND COALESCE(SUSPICIOUS_ACTION_SOON.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE), SUSPICIOUS_ACTION_TIMEOUT AS COALESCE(SUSPICIOUS_ACTION_TIMEOUT.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) > 500, TRUE), LOGIN_FAILED_SAME_USER AS LOGIN_FAILED_SAME_USER.ev_type == "login"
-    AND LOGIN_FAILED_SAME_USER.ev_status != "success"
-    AND (
-        LAST(LOGIN_FAILED_SAME_USER.user) IS NULL
-        OR LAST(LOGIN_FAILED_SAME_USER.user) == LOGIN_FAILED_SAME_USER.user
-    ) AND COALESCE(LOGIN_FAILED_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE), ANY_ROW2 AS COALESCE(ANY_ROW2.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE), LOGIN_SUCCESS_SAME_USER AS LOGIN_SUCCESS_SAME_USER.ev_type == "login"
-    AND LOGIN_SUCCESS_SAME_USER.ev_status == "success"
-    AND LOGIN_SUCCESS_SAME_USER.user == LAST(LOGIN_FAILED_SAME_USER.user)
-    AND COALESCE(LOGIN_SUCCESS_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE)) AS MATCHED
+    AS_TABLE($osquery_data) MATCH_RECOGNIZE (
+        ORDER BY
+            CAST(dt AS Timestamp)
+        MEASURES
+            LAST(LOGIN_SUCCESS_REMOTE.host) AS remote_login_host,
+            LAST(LOGIN_SUCCESS_REMOTE.user) AS remote_login_user,
+            LAST(LOGIN_SUCCESS_REMOTE.dt) AS remote_login_dt,
+            LAST(SUSPICIOUS_ACTION_SOON.dt) AS suspicious_action_dt,
+            LAST(SUSPICIOUS_ACTION_TIMEOUT.dt) AS suspicious_action_timeout_dt,
+            FIRST(LOGIN_FAILED_SAME_USER.dt) AS brutforce_begin,
+            FIRST(LOGIN_SUCCESS_SAME_USER.dt) AS brutforce_end,
+            LAST(LOGIN_SUCCESS_SAME_USER.user) AS brutforce_login
+        ONE ROW PER MATCH
+        AFTER MATCH SKIP TO NEXT ROW
+        PATTERN (LOGIN_SUCCESS_REMOTE ANY_ROW1 * (SUSPICIOUS_ACTION_SOON | SUSPICIOUS_ACTION_TIMEOUT) | (LOGIN_FAILED_SAME_USER ANY_ROW2 *) {2,} LOGIN_SUCCESS_SAME_USER)
+        DEFINE
+            LOGIN_SUCCESS_REMOTE AS LOGIN_SUCCESS_REMOTE.ev_type == "login"
+            AND LOGIN_SUCCESS_REMOTE.ev_status == "success"
+            AND LOGIN_SUCCESS_REMOTE.vpn == TRUE
+            AND COALESCE(LOGIN_SUCCESS_REMOTE.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE),
+            ANY_ROW1 AS COALESCE(ANY_ROW1.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE),
+            SUSPICIOUS_ACTION_SOON AS SUSPICIOUS_ACTION_SOON.host == LAST(LOGIN_SUCCESS_REMOTE.host)
+            AND SUSPICIOUS_ACTION_SOON.ev_type == "delete_all"
+            AND COALESCE(SUSPICIOUS_ACTION_SOON.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE),
+            SUSPICIOUS_ACTION_TIMEOUT AS COALESCE(SUSPICIOUS_ACTION_TIMEOUT.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) > 500, TRUE),
+            LOGIN_FAILED_SAME_USER AS LOGIN_FAILED_SAME_USER.ev_type == "login"
+            AND LOGIN_FAILED_SAME_USER.ev_status != "success"
+            AND (
+                LAST(LOGIN_FAILED_SAME_USER.user) IS NULL
+                OR LAST(LOGIN_FAILED_SAME_USER.user) == LOGIN_FAILED_SAME_USER.user
+            ) AND COALESCE(LOGIN_FAILED_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE),
+            ANY_ROW2 AS COALESCE(ANY_ROW2.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE),
+            LOGIN_SUCCESS_SAME_USER AS LOGIN_SUCCESS_SAME_USER.ev_type == "login"
+            AND LOGIN_SUCCESS_SAME_USER.ev_status == "success"
+            AND LOGIN_SUCCESS_SAME_USER.user == LAST(LOGIN_FAILED_SAME_USER.user)
+            AND COALESCE(LOGIN_SUCCESS_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE)
+    ) AS MATCHED
 ;

yql/essentials/tests/sql/sql2yql/canondata/test_sql_format.test_match_recognize-alerts_/formatted.sql

@@ -20,20 +20,41 @@ PRAGMA config.flags("MatchRecognizeStream", "disable");
 SELECT
     *
 FROM
-    AS_TABLE($osquery_data) MATCH_RECOGNIZE (ORDER BY
-        CAST(dt AS Timestamp)
-    MEASURES LAST(LOGIN_SUCCESS_REMOTE.host) AS remote_login_host, LAST(LOGIN_SUCCESS_REMOTE.user) AS remote_login_user, LAST(LOGIN_SUCCESS_REMOTE.dt) AS remote_login_dt, LAST(SUSPICIOUS_ACTION_SOON.dt) AS suspicious_action_dt, LAST(SUSPICIOUS_ACTION_TIMEOUT.dt) AS suspicious_action_timeout_dt, FIRST(LOGIN_FAILED_SAME_USER.dt) AS brutforce_begin, FIRST(LOGIN_SUCCESS_SAME_USER.dt) AS brutforce_end, LAST(LOGIN_SUCCESS_SAME_USER.user) AS brutforce_login ONE ROW PER MATCH AFTER MATCH SKIP TO NEXT ROW PATTERN (LOGIN_SUCCESS_REMOTE ANY_ROW1 * (SUSPICIOUS_ACTION_SOON | SUSPICIOUS_ACTION_TIMEOUT) | (LOGIN_FAILED_SAME_USER ANY_ROW2 *) {2,} LOGIN_SUCCESS_SAME_USER) DEFINE LOGIN_SUCCESS_REMOTE AS LOGIN_SUCCESS_REMOTE.ev_type == "login"
-    AND LOGIN_SUCCESS_REMOTE.ev_status == "success"
-    AND LOGIN_SUCCESS_REMOTE.vpn == TRUE
-    AND COALESCE(LOGIN_SUCCESS_REMOTE.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE), ANY_ROW1 AS COALESCE(ANY_ROW1.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE), SUSPICIOUS_ACTION_SOON AS SUSPICIOUS_ACTION_SOON.host == LAST(LOGIN_SUCCESS_REMOTE.host)
-    AND SUSPICIOUS_ACTION_SOON.ev_type == "delete_all"
-    AND COALESCE(SUSPICIOUS_ACTION_SOON.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE), SUSPICIOUS_ACTION_TIMEOUT AS COALESCE(SUSPICIOUS_ACTION_TIMEOUT.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) > 500, TRUE), LOGIN_FAILED_SAME_USER AS LOGIN_FAILED_SAME_USER.ev_type == "login"
-    AND LOGIN_FAILED_SAME_USER.ev_status != "success"
-    AND (
-        LAST(LOGIN_FAILED_SAME_USER.user) IS NULL
-        OR LAST(LOGIN_FAILED_SAME_USER.user) == LOGIN_FAILED_SAME_USER.user
-    ) AND COALESCE(LOGIN_FAILED_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE), ANY_ROW2 AS COALESCE(ANY_ROW2.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE), LOGIN_SUCCESS_SAME_USER AS LOGIN_SUCCESS_SAME_USER.ev_type == "login"
-    AND LOGIN_SUCCESS_SAME_USER.ev_status == "success"
-    AND LOGIN_SUCCESS_SAME_USER.user == LAST(LOGIN_FAILED_SAME_USER.user)
-    AND COALESCE(LOGIN_SUCCESS_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE)) AS MATCHED
+    AS_TABLE($osquery_data) MATCH_RECOGNIZE (
+        ORDER BY
+            CAST(dt AS Timestamp)
+        MEASURES
+            LAST(LOGIN_SUCCESS_REMOTE.host) AS remote_login_host,
+            LAST(LOGIN_SUCCESS_REMOTE.user) AS remote_login_user,
+            LAST(LOGIN_SUCCESS_REMOTE.dt) AS remote_login_dt,
+            LAST(SUSPICIOUS_ACTION_SOON.dt) AS suspicious_action_dt,
+            LAST(SUSPICIOUS_ACTION_TIMEOUT.dt) AS suspicious_action_timeout_dt,
+            FIRST(LOGIN_FAILED_SAME_USER.dt) AS brutforce_begin,
+            FIRST(LOGIN_SUCCESS_SAME_USER.dt) AS brutforce_end,
+            LAST(LOGIN_SUCCESS_SAME_USER.user) AS brutforce_login
+        ONE ROW PER MATCH
+        AFTER MATCH SKIP TO NEXT ROW
+        PATTERN (LOGIN_SUCCESS_REMOTE ANY_ROW1 * (SUSPICIOUS_ACTION_SOON | SUSPICIOUS_ACTION_TIMEOUT) | (LOGIN_FAILED_SAME_USER ANY_ROW2 *) {2,} LOGIN_SUCCESS_SAME_USER)
+        DEFINE
+            LOGIN_SUCCESS_REMOTE AS LOGIN_SUCCESS_REMOTE.ev_type == "login"
+            AND LOGIN_SUCCESS_REMOTE.ev_status == "success"
+            AND LOGIN_SUCCESS_REMOTE.vpn == TRUE
+            AND COALESCE(LOGIN_SUCCESS_REMOTE.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE),
+            ANY_ROW1 AS COALESCE(ANY_ROW1.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE),
+            SUSPICIOUS_ACTION_SOON AS SUSPICIOUS_ACTION_SOON.host == LAST(LOGIN_SUCCESS_REMOTE.host)
+            AND SUSPICIOUS_ACTION_SOON.ev_type == "delete_all"
+            AND COALESCE(SUSPICIOUS_ACTION_SOON.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE),
+            SUSPICIOUS_ACTION_TIMEOUT AS COALESCE(SUSPICIOUS_ACTION_TIMEOUT.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) > 500, TRUE),
+            LOGIN_FAILED_SAME_USER AS LOGIN_FAILED_SAME_USER.ev_type == "login"
+            AND LOGIN_FAILED_SAME_USER.ev_status != "success"
+            AND (
+                LAST(LOGIN_FAILED_SAME_USER.user) IS NULL
+                OR LAST(LOGIN_FAILED_SAME_USER.user) == LOGIN_FAILED_SAME_USER.user
+            ) AND COALESCE(LOGIN_FAILED_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE),
+            ANY_ROW2 AS COALESCE(ANY_ROW2.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE),
+            LOGIN_SUCCESS_SAME_USER AS LOGIN_SUCCESS_SAME_USER.ev_type == "login"
+            AND LOGIN_SUCCESS_SAME_USER.ev_status == "success"
+            AND LOGIN_SUCCESS_SAME_USER.user == LAST(LOGIN_FAILED_SAME_USER.user)
+            AND COALESCE(LOGIN_SUCCESS_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE)
+    ) AS MATCHED
 ;

yql/essentials/tests/sql/sql2yql/canondata/test_sql_format.test_match_recognize-alerts_without_order_/formatted.sql

@@ -20,18 +20,39 @@ PRAGMA config.flags("MatchRecognizeStream", "disable");
 SELECT
     *
 FROM
-    AS_TABLE($osquery_data) MATCH_RECOGNIZE (MEASURES LAST(LOGIN_SUCCESS_REMOTE.host) AS remote_login_host, LAST(LOGIN_SUCCESS_REMOTE.user) AS remote_login_user, LAST(LOGIN_SUCCESS_REMOTE.dt) AS remote_login_dt, LAST(SUSPICIOUS_ACTION_SOON.dt) AS suspicious_action_dt, LAST(SUSPICIOUS_ACTION_TIMEOUT.dt) AS suspicious_action_timeout_dt, FIRST(LOGIN_FAILED_SAME_USER.dt) AS brutforce_begin, FIRST(LOGIN_SUCCESS_SAME_USER.dt) AS brutforce_end, LAST(LOGIN_SUCCESS_SAME_USER.user) AS brutforce_login ONE ROW PER MATCH AFTER MATCH SKIP TO NEXT ROW PATTERN (LOGIN_SUCCESS_REMOTE ANY_ROW1 * (SUSPICIOUS_ACTION_SOON | SUSPICIOUS_ACTION_TIMEOUT) | (LOGIN_FAILED_SAME_USER ANY_ROW2 *) {2,} LOGIN_SUCCESS_SAME_USER) DEFINE LOGIN_SUCCESS_REMOTE AS LOGIN_SUCCESS_REMOTE.ev_type == "login"
-    AND LOGIN_SUCCESS_REMOTE.ev_status == "success"
-    AND LOGIN_SUCCESS_REMOTE.vpn == TRUE
-    AND COALESCE(LOGIN_SUCCESS_REMOTE.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE), ANY_ROW1 AS COALESCE(ANY_ROW1.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE), SUSPICIOUS_ACTION_SOON AS SUSPICIOUS_ACTION_SOON.host == LAST(LOGIN_SUCCESS_REMOTE.host)
-    AND SUSPICIOUS_ACTION_SOON.ev_type == "delete_all"
-    AND COALESCE(SUSPICIOUS_ACTION_SOON.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE), SUSPICIOUS_ACTION_TIMEOUT AS COALESCE(SUSPICIOUS_ACTION_TIMEOUT.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) > 500, TRUE), LOGIN_FAILED_SAME_USER AS LOGIN_FAILED_SAME_USER.ev_type == "login"
-    AND LOGIN_FAILED_SAME_USER.ev_status != "success"
-    AND (
-        LAST(LOGIN_FAILED_SAME_USER.user) IS NULL
-        OR LAST(LOGIN_FAILED_SAME_USER.user) == LOGIN_FAILED_SAME_USER.user
-    ) AND COALESCE(LOGIN_FAILED_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE), ANY_ROW2 AS COALESCE(ANY_ROW2.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE), LOGIN_SUCCESS_SAME_USER AS LOGIN_SUCCESS_SAME_USER.ev_type == "login"
-    AND LOGIN_SUCCESS_SAME_USER.ev_status == "success"
-    AND LOGIN_SUCCESS_SAME_USER.user == LAST(LOGIN_FAILED_SAME_USER.user)
-    AND COALESCE(LOGIN_SUCCESS_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE)) AS MATCHED
+    AS_TABLE($osquery_data) MATCH_RECOGNIZE (
+        MEASURES
+            LAST(LOGIN_SUCCESS_REMOTE.host) AS remote_login_host,
+            LAST(LOGIN_SUCCESS_REMOTE.user) AS remote_login_user,
+            LAST(LOGIN_SUCCESS_REMOTE.dt) AS remote_login_dt,
+            LAST(SUSPICIOUS_ACTION_SOON.dt) AS suspicious_action_dt,
+            LAST(SUSPICIOUS_ACTION_TIMEOUT.dt) AS suspicious_action_timeout_dt,
+            FIRST(LOGIN_FAILED_SAME_USER.dt) AS brutforce_begin,
+            FIRST(LOGIN_SUCCESS_SAME_USER.dt) AS brutforce_end,
+            LAST(LOGIN_SUCCESS_SAME_USER.user) AS brutforce_login
+        ONE ROW PER MATCH
+        AFTER MATCH SKIP TO NEXT ROW
+        PATTERN (LOGIN_SUCCESS_REMOTE ANY_ROW1 * (SUSPICIOUS_ACTION_SOON | SUSPICIOUS_ACTION_TIMEOUT) | (LOGIN_FAILED_SAME_USER ANY_ROW2 *) {2,} LOGIN_SUCCESS_SAME_USER)
+        DEFINE
+            LOGIN_SUCCESS_REMOTE AS LOGIN_SUCCESS_REMOTE.ev_type == "login"
+            AND LOGIN_SUCCESS_REMOTE.ev_status == "success"
+            AND LOGIN_SUCCESS_REMOTE.vpn == TRUE
+            AND COALESCE(LOGIN_SUCCESS_REMOTE.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE),
+            ANY_ROW1 AS COALESCE(ANY_ROW1.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE),
+            SUSPICIOUS_ACTION_SOON AS SUSPICIOUS_ACTION_SOON.host == LAST(LOGIN_SUCCESS_REMOTE.host)
+            AND SUSPICIOUS_ACTION_SOON.ev_type == "delete_all"
+            AND COALESCE(SUSPICIOUS_ACTION_SOON.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE),
+            SUSPICIOUS_ACTION_TIMEOUT AS COALESCE(SUSPICIOUS_ACTION_TIMEOUT.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) > 500, TRUE),
+            LOGIN_FAILED_SAME_USER AS LOGIN_FAILED_SAME_USER.ev_type == "login"
+            AND LOGIN_FAILED_SAME_USER.ev_status != "success"
+            AND (
+                LAST(LOGIN_FAILED_SAME_USER.user) IS NULL
+                OR LAST(LOGIN_FAILED_SAME_USER.user) == LOGIN_FAILED_SAME_USER.user
+            ) AND COALESCE(LOGIN_FAILED_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE),
+            ANY_ROW2 AS COALESCE(ANY_ROW2.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE),
+            LOGIN_SUCCESS_SAME_USER AS LOGIN_SUCCESS_SAME_USER.ev_type == "login"
+            AND LOGIN_SUCCESS_SAME_USER.ev_status == "success"
+            AND LOGIN_SUCCESS_SAME_USER.user == LAST(LOGIN_FAILED_SAME_USER.user)
+            AND COALESCE(LOGIN_SUCCESS_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE)
+    ) AS MATCHED
 ;