generated from coulomb/repo-seed
44 lines
1.2 KiB
Markdown
44 lines
1.2 KiB
Markdown
# Pattern: Security Event Taxonomy
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: NetKingdom, Railiance platform
|
|
Genesis family: Detection and response
|
|
|
|
## Problem
|
|
|
|
Logs become noisy and hard to correlate when security-relevant events
|
|
do not share names, fields, severities, and actor/resource semantics.
|
|
|
|
## Context
|
|
|
|
Use this pattern for identity, authorization, OpenBao, Kubernetes,
|
|
artifact-store, ops access, workload events, and incident response.
|
|
|
|
## Forces
|
|
|
|
- Different systems emit different event shapes.
|
|
- Tenant-visible audit requires careful projection.
|
|
- Agents and humans need separate attribution.
|
|
- Detection and response need severity and category consistency.
|
|
|
|
## Solution
|
|
|
|
Define a shared taxonomy for security events with event class, actor,
|
|
tenant, resource, action, outcome, severity, source, correlation id, and
|
|
visibility rules.
|
|
|
|
## Verification
|
|
|
|
- Critical systems emit events matching required fields.
|
|
- Event classes map to detection and response workflows.
|
|
- Tenant-visible fields are explicitly marked.
|
|
- Correlation ids link identity, policy, secret, and workload events.
|
|
|
|
## Related Patterns
|
|
|
|
- Central Audit Ledger.
|
|
- Tenant Audit Log View.
|
|
- Runtime Threat Detection.
|
|
- Incident Runbook Library.
|