Many different techniques and tools have been proposed to prevent and detect malicious activities by means of a very challenging data analysis task. The main sources for data analysis are the activity logs that are produced in large volumes at run time and are often characterized by semantically rich properties. The paper proposes a framework for analyzing the collected logs in order to provide the defenders with relevant insights on the attacks that have been conducted. The framework consists of two ingredients: (i) a modeling language to define the patterns of attacks that are of interest to the defenders, and (ii) an algorithm that is able to identify, in an input log, all possible attacks conforming to the given patterns. The paper presents a formalization of the modeling language and a study of its properties from a theoretical viewpoint as well as the algorithm (along with an ad-hoc data structure) that is proven to be very efficient in the identification of attacks in real world scenarios.