# Pattern: Security Event Taxonomy Status: seed Readiness target: RL3 production Primary owners: NetKingdom, Railiance platform Genesis family: Detection and response ## Problem Logs become noisy and hard to correlate when security-relevant events do not share names, fields, severities, and actor/resource semantics. ## Context Use this pattern for identity, authorization, OpenBao, Kubernetes, artifact-store, ops access, workload events, and incident response. ## Forces - Different systems emit different event shapes. - Tenant-visible audit requires careful projection. - Agents and humans need separate attribution. - Detection and response need severity and category consistency. ## Solution Define a shared taxonomy for security events with event class, actor, tenant, resource, action, outcome, severity, source, correlation id, and visibility rules. ## Verification - Critical systems emit events matching required fields. - Event classes map to detection and response workflows. - Tenant-visible fields are explicitly marked. - Correlation ids link identity, policy, secret, and workload events. ## Related Patterns - Central Audit Ledger. - Tenant Audit Log View. - Runtime Threat Detection. - Incident Runbook Library.