This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-security-event-taxonomy.md

44 lines
1.2 KiB
Markdown

# Pattern: Security Event Taxonomy
Status: seed
Readiness target: RL3 production
Primary owners: NetKingdom, Railiance platform
Genesis family: Detection and response
## Problem
Logs become noisy and hard to correlate when security-relevant events
do not share names, fields, severities, and actor/resource semantics.
## Context
Use this pattern for identity, authorization, OpenBao, Kubernetes,
artifact-store, ops access, workload events, and incident response.
## Forces
- Different systems emit different event shapes.
- Tenant-visible audit requires careful projection.
- Agents and humans need separate attribution.
- Detection and response need severity and category consistency.
## Solution
Define a shared taxonomy for security events with event class, actor,
tenant, resource, action, outcome, severity, source, correlation id, and
visibility rules.
## Verification
- Critical systems emit events matching required fields.
- Event classes map to detection and response workflows.
- Tenant-visible fields are explicitly marked.
- Correlation ids link identity, policy, secret, and workload events.
## Related Patterns
- Central Audit Ledger.
- Tenant Audit Log View.
- Runtime Threat Detection.
- Incident Runbook Library.