Skip to content

Taxonomy of Alerts

TeskaLabs LogMan.io provides the following taxonomy for organizing and managing various artifacts generated within the system:

  • Event
    • Log
    • Complex
  • Ticket
    • Alert
    • Incident

Events are records of activities that occur within an organization's network, systems, or applications. They can be further classified into logs and complex events.

Tickets are records that help to track and manage security events that require attention. Tickets are created by cyber security analysts or automated correlators and detectors. A ticket can refer to none, one or several events. We currently distinguish between alerts and incidents.

This classification aims to help cybersecurity analysts prioritize their workload and promptly respond to security threats.

Event Types

Logs are basic records generated by various devices, systems, or applications that store information about their activity. Examples include firewall logs, server logs, or application logs. They help analysts understand what is happening within the organization's environment and can be used for detecting security threats and anomalies.

Complex events refer to correlated or aggregated events that may indicate a security incident or require further analysis. They are generated by correlators, baseliners and other detectors that gather events from various sources, analyze them, and create alerts based on predefined rules or machine learning algorithms.

Ticket Types: Investigation Stage

Alerts are generated when a specific event, series of events, or anomaly that may indicate a potential security threat is detected. Alerts typically require immediate attention from cyber security analysts to triage, investigate, and determine if the ticket is a genuine security incident.

Incidents are confirmed security events that have been investigated and classified as threats. They represent a higher level of severity than alerts and often involve a coordinated response from multiple teams, such as incident response or network administration, to contain, remediate, and recover.

Ticket Types: Lifecycle Stage

Sleeping Ticket is a ticket without an assigned workflow state that has not entered the workflow yet. It is not visible / accessible to users.

Regular Ticket is a ticket that has entered the workflow and is in an active state.