Events are filtered based on goals set in the schemas and broken into subschemas by managers, to determine whether there is an attack