UTMSTACK logoUTMSTACK logo
Getting Started with rules and filters Architecture Overview

Architecture Overview

The EventProcessor and UTMStack integration consists of several components working in harmony to provide a complete security monitoring solution.

Core Components

EventProcessor

The core engine that processes security events.

extension

EventProcessor Plugins

Modules that extend the functionality of the EventProcessor (parsing, analysis, etc.).

UTMStack Plugins

Specific plugins that integrate UTMStack features with the EventProcessor.

go-sdk

A Go SDK that provides common functionality and shared interfaces for both the EventProcessor and its plugins.

rule

Rules

YAML files defining detection logic for security threats.

Filters

YAML files defining how to extract and transform data from raw logs.

Plugin Architecture

The EventProcessor uses a micro-plugin architecture where plugins run as separate processes. Communication occurs via gRPC over Unix domain sockets.

Key Benefits

  • Flexibility: Add new functionality without modifying the core engine.

  • Isolation: Plugin failures do not necessarily crash the entire processor.

  • Language Independence: While primarily written in Go, any language with gRPC support can theoretically be used.

For more details on specific plugins, see Components.

Community and Support

GitHub Repository

Discord Community

Rules Repository

Documentation