generated from coulomb/repo-seed
1.2 KiB
1.2 KiB
Pattern: Security Event Taxonomy
Status: seed Readiness target: RL3 production Primary owners: NetKingdom, Railiance platform Genesis family: Detection and response
Problem
Logs become noisy and hard to correlate when security-relevant events do not share names, fields, severities, and actor/resource semantics.
Context
Use this pattern for identity, authorization, OpenBao, Kubernetes, artifact-store, ops access, workload events, and incident response.
Forces
- Different systems emit different event shapes.
- Tenant-visible audit requires careful projection.
- Agents and humans need separate attribution.
- Detection and response need severity and category consistency.
Solution
Define a shared taxonomy for security events with event class, actor, tenant, resource, action, outcome, severity, source, correlation id, and visibility rules.
Verification
- Critical systems emit events matching required fields.
- Event classes map to detection and response workflows.
- Tenant-visible fields are explicitly marked.
- Correlation ids link identity, policy, secret, and workload events.
Related Patterns
- Central Audit Ledger.
- Tenant Audit Log View.
- Runtime Threat Detection.
- Incident Runbook Library.