A Modular Event Correlation Rules Framework | A Proposal for Multi-Event Attack Detection

[SachinKakkar]

A Modular Event Correlation Rules Framework
- A Proposal for Multi-Event Attack Detection

		Sachin Kakkar | July 18th 2025

Summary

I'd like to propose a modular Event Correlation Rules Framework for windows_event_logging that enables detection of suspicious multi-event sequences — such as privilege escalation or lateral movement — using MITRE-style logic encoded in a YAML/JSON format.

Problem

Currently, the project provides excellent event enablement templates, but lacks a framework to correlate multiple related events into actionable security alerts. This limits its ability to:

• Detect stealthy APT techniques (e.g., Sysmon + Audit log + WMI combo)
• Provide analysts with high-fidelity incident indicators
• Align with SOC expectations and MITRE ATT&CK methodology

Proposal

Add a lightweight event correlation engine in PowerShell with:

• A rules folder (correlation_rules/) containing MITRE-style YAML rules
• A runner script (run_event_correlation.ps1) that:
  • Ingests logs from Windows Event Viewer
  • Parses the correlation rules
  • Outputs alerts for rule matches
• Optional: Output CSV/JSON summary for SIEM or audit use

Sample Rule Format (YAML)

id: T1055.001_priv_esc
description: Detect potential privilege escalation using PsExec
sequence:
  - event_id: 4688
    match: "psexec"
  - event_id: 4672
    within: 2m


## Output Example

ALERT: T1055.001_priv_esc matched
Machine: FIN-SERVER01 | Time: 10:22:11 | Confidence: High


## Benefits

- Helps organizations move toward Zero Trust detection maturity
- Aligns with ACSC’s Essential 8 logging goals
- Reduces alert fatigue by highlighting meaningful sequences


## Ask

Would the maintainers support this enhancement? Happy to submit a draft PR and iterate based on feedback. 

Here’s how my new sample folder structure would look:

windows_event_logging/
├── correlation_rules/
│   ├── T1055_priv_esc.yaml
│   └── T1071_command_control.yaml
├── run_event_correlation.ps1
├── test_logs/
│   └── sample_eventlog.evtx
└── README.md (update with usage)


**Thank YOU for maintaining this critical public resource!**

[SachinKakkar]

Would the maintainers support this enhancement? Happy to submit a draft PR and iterate based on feedback.

Here’s how my new sample folder structure would look:

windows_event_logging/
├── correlation_rules/
│ ├── T1055_priv_esc.yaml
│ └── T1071_command_control.yaml
├── run_event_correlation.ps1
├── test_logs/
│ └── sample_eventlog.evtx
└── README.md (update with usage)

Thank YOU for maintaining this critical public resource!