1 initialize bufferOfEvents to zero
2 initialize threshold to maximumTolerable
3 while bufferOfEvents is not empty
4  Get newEvent from bufferOfEvents
5  Analize newEvent against correlationRules
6  If newEvent matches a correlationRule
7   matchedRuleCounter = matchedRuleCounter + 1
8   If matchedRuleCounter >= threshold
9    print “Event confirms an attack in progress”
10    Inform the system Admin
11    Launch an Incident Response
12   else
13    print “Event matches a rule but is not even an attack”
14  else
15   print “Event did not match any rule”
Listing 1: Reception and processing of security events by a SIEM.