-
Notifications
You must be signed in to change notification settings - Fork 71
Components
The ecosystem is built on a two-tier architecture: the high-performance EventProcessor engine (managed core) and the UTMStack extension layer (open-source ecosystem).
The EventProcessor is the proprietary, high-performance engine that orchestrates the data pipeline. While the core engine repository is private, its functionality is fully extensible through the public SDK and the custom plugin system.
Atomic steps used in filters to structure data.
-
Data Extraction:
json,kv,csv,grok. -
Transformation:
rename,cast,reformat,trim,add. -
Control:
delete,drop.
- cel: The primary engine for evaluating Rules using Common Expression Language.
- feeds: A threat intelligence engine that correlates logs with ThreatWinds malicious indicators (IPs, Domains, Hashes).
UTMStack provides the open-source layer of specialized plugins and integrations. We welcome community contributions in the UTMStack Repository.
| Category | Plugin(s) | Role |
|---|---|---|
| Ingestion | inputs |
Unified entry point for logs via HTTP and gRPC (Agents, Syslog-ng). |
| Integrations |
aws, azure, gcp, o365, crowdstrike, sophos, bitdefender
|
Native cloud and EDR collectors. |
| Parsing | geolocation |
Enriches events with geographic context. |
| Output / Storage | events |
Indexes all successfully processed events into OpenSearch (using the v11-log-* pattern). |
| Correlation / Lifecycle | alerts |
Handles alert deduplication, parent-child linking, and indexing into the v11-alert index. |
| Notification | stats |
System metrics and internal health reports. |
| Management | config |
Centralized configuration service. |
The engine manages adaptive queues and worker pools to ensure high-speed ingestion and processing. It enforces the Standard Event Schema across all components.
Every component—both built-in and community-contributed—interfaces with the system via the Open Source go-sdk.
- Type Safety: Common definitions for Logs, Events, and Alerts.
- Connectivity: gRPC service definitions for Parsing, Analysis, and Correlation.
- Development: Hot-reloading support for custom plugins.