This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-security-event-taxonomy.md

1.2 KiB

Pattern: Security Event Taxonomy

Status: seed Readiness target: RL3 production Primary owners: NetKingdom, Railiance platform Genesis family: Detection and response

Problem

Logs become noisy and hard to correlate when security-relevant events do not share names, fields, severities, and actor/resource semantics.

Context

Use this pattern for identity, authorization, OpenBao, Kubernetes, artifact-store, ops access, workload events, and incident response.

Forces

  • Different systems emit different event shapes.
  • Tenant-visible audit requires careful projection.
  • Agents and humans need separate attribution.
  • Detection and response need severity and category consistency.

Solution

Define a shared taxonomy for security events with event class, actor, tenant, resource, action, outcome, severity, source, correlation id, and visibility rules.

Verification

  • Critical systems emit events matching required fields.
  • Event classes map to detection and response workflows.
  • Tenant-visible fields are explicitly marked.
  • Correlation ids link identity, policy, secret, and workload events.
  • Central Audit Ledger.
  • Tenant Audit Log View.
  • Runtime Threat Detection.
  • Incident Runbook Library.