Advanced Security Event Correlation: Sequential Pattern Detection for UTMStack Rules

[osmontero]

Describe the feature

THIS ISSUE APPLIES to UTMStack v11. It is already present in v10.x
UTMStack should implement advanced temporal correlation capabilities to detect and respond to multi-stage security threats by analyzing sequences of related events across time windows. The system should be able to:

• Define complex pattern recognition rules based on chronological event sequences.
• Correlate security events across multiple data sources and log types.
• Configure customizable time windows for sequence detection (seconds to days).
• Support conditional logic between events in a sequence.
• Generate high-confidence alerts only when complete patterns are detected.
• Reduce false positives by requiring multiple staged events in specific order.

Use Case

This feature addresses several critical security scenarios:

• Advanced Persistent Threat (APT) Detection: Identify sophisticated attacks that progress through multiple stages (initial compromise → privilege escalation → lateral movement → data exfiltration).
• Credential Compromise Detection: Alert when multiple failed login attempts are followed by a successful authentication from an unusual source, indicating potential credential theft.
• Insider Threat Monitoring: Detect suspicious behavior sequences from authenticated users, such as accessing sensitive files followed by unusual data transfers or communication patterns.
• Security Control Bypass: Identify attempts to circumvent security systems through a series of seemingly benign actions that become malicious in sequence.
• Multi-Vector Attacks: Correlate events across different security domains (network, endpoint, application) to detect coordinated attacks using multiple entry points.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change