Traditionally, rules have been applied to events for detecting unwanted activity. Sometimes, such unwanted activity has included data leakage, malware, etc. However, conventional techniques for applying rules to events have generally exhibited various limitations. Just by way of example, rules have traditionally only been applied to individual events, thus preventing detection of unwanted activity that spans multiple events. There is thus a need for overcoming these and/or other issues associated with the prior art.