SecurityEvent type catalog

SecurityEvent is the headline event type emitted by every operator in ugallu. The platform freezes a closed catalog of 92 types under security.ugallu.io/v1alpha1 - a ValidatingAdmissionPolicy enforces that spec.type matches one of the entries below, so an emitter that ships with a typo is rejected at the API server before any attestor or forensics consumer ever sees it.

Schema

apiVersion: security.ugallu.io/v1alpha1
kind: SecurityEvent
spec:
  type: ClusterAdminGranted          # one of the 92 types below
  class: Detection                    # Detection|Audit|Forensic|Compliance|Anomaly|PolicyViolation
  severity: critical                  # info|low|medium|high|critical
  source:
    operator: ugallu-audit-detection
    cluster: prod-eu-1
  subject:
    kind: User                        # User|Pod|Node|Secret|ClusterRoleBinding|...|External
    name: alice
    uid: 1f...
  description: "user alice bound to cluster-admin"
  evidence: { auditID: "abcd-...", requestObject: { ... } }
status:
  phase: Pending                      # Pending|Attested|Sealed
  attestationBundleRef: { name: ... }

Class semantics

Class	When it fires	Where it lands
Detection	A rule or detector matched a hostile or risky pattern.	Default whitelist for forensics.spec.trigger.classes.
Audit	A non-malicious but auditable API operation.	Captured for retention; rarely triggers response.
Forensic	Lifecycle event of an incident capture pipeline.	Emitted by forensics itself - capture started, completed, failed.
Compliance	A scheduled or ad-hoc compliance check completed (kube-bench, backup-verify, attestation).	Drives compliance dashboards; ranks via worstSeverity.
Anomaly	A platform self-health signal: source went silent, queue grew, key rotation overdue.	On-call / SRE dashboards. Not for application incident response.
PolicyViolation	A workload deviated from its declared policy (e.g. seccomp drift).	Drives gitops-responder or human review.

The class is what ranks an event on the dashboards, not the severity. A Detection critical and a Compliance critical are treated very differently downstream.

Catalog

The table is grouped by emitter, then sorted by typical severity. The “Severity” column is the value at the emit site - rules and policy can override (e.g. SigmaRule lets the user pick severity per match).

audit-detection (29 types)

The audit-detection operator turns the apiserver audit log into SecurityEvents through a Sigma rule engine plus a built-in policy allowlist.

Type	Class	Severity	Trigger
AnonymousAccess	Detection	critical	unauthenticated user reached the apiserver
ClusterAdminGranted	Detection	critical	wildcard ClusterRoleBinding to cluster-admin
CRDOverwrite	Detection	critical	a CustomResourceDefinition was created or modified
FailOpenWebhook	Detection	critical	webhook configured failurePolicy: Ignore on a critical resource
APIServiceInsecure	Detection	high	APIService entry without TLS or with invalid CA
CapAddDangerous	Detection	high	container adds CAP_SYS_ADMIN / CAP_NET_ADMIN / CAP_NET_RAW / CAP_SYS_PTRACE
ExecIntoPod	Detection	high	kubectl exec against a pod
HostIPCPod	Detection	high	pod with hostIPC: true
HostNetworkPod	Detection	high	pod with hostNetwork: true
HostPathMount	Detection	high	pod mounts a hostPath volume
HostPIDPod	Detection	high	pod with hostPID: true
ImpersonationUsed	Detection	high	request used Impersonate-User header
NamespacePSAWeakened	Detection	high	a namespace’s pod-security-admission label downgraded
PortForwardOpened	Detection	high	kubectl port-forward to a pod
PrivilegeEscalationAttempt	Detection	high	container allowPrivilegeEscalation: true
PrivilegedPodChange	Detection	high	pod spec mutated to add privileged: true
ServiceAccountTokenRequest	Detection	high	TokenRequest API used (often automation)
UnsignedImage	Detection	high	container image not signed or signature failed verification
WebhookSideEffectsUnknown	Detection	high	webhook with sideEffects: Unknown
WildcardRBACBinding	Detection	high	RBAC rule with * in resources or verbs
ImagePullPolicyAlways	Detection	medium	container with imagePullPolicy: Always (registry exposure)
LatestImageTag	Detection	medium	container image pinned to :latest or untagged
LongLivedSecretToken	Detection	medium	service account token with extended TTL
RunAsRootContainer	Detection	medium	container runAsUser: 0 or unset
SecretMountedAsEnv	Detection	medium	secret data projected into env vars
ServiceAccountTokenAutomount	Detection	medium	pod automounts the default SA token
KubernetesAPICall	Audit	info	raw audit log entry (test of the pipeline)
ProxyAccess	Audit	info	request via kubectl proxy
WatchSubscription	Audit	info	a long-lived watch subscription opened

webhook-auditor (7 types)

Type	Class	Severity	Trigger
WebhookConfigDeleted	Detection	critical	a webhook configuration was deleted (loss of guardrails)
WebhookFailOpenCriticalAPI	Detection	critical	webhook on a critical API fails open
MutatingWebhookHighRisk	Detection	high	risk score crossed WebhookAuditorConfig.spec.thresholds.alertOn
ValidatingWebhookHighRisk	Detection	high	same, for validating webhooks
WebhookCAUntrusted	Detection	high	caBundle issuer not in trustedCASources
WebhookSecretAccess	Detection	high	webhook references a Secret outside its namespace
WebhookEvalFailed	Anomaly	medium	the auditor itself failed to evaluate a webhook

dns-detect (8 types)

Type	Class	Severity	Trigger
DNSAnomalousPort	Detection	high	DNS query to non-53/853 port
DNSExfiltration	Detection	high	high-entropy / long-label query indicating data exfil
DNSTunneling	Detection	high	base64 / hex pattern in subdomain labels
DNSToBlocklistedFQDN	Detection	medium	query matched a per-namespace blocklist ConfigMap
DNSToYoungDomain	Detection	medium	RDAP shows the domain was registered fewer than N days ago
DNSConfigMissing	Anomaly	high	DNSDetectConfig singleton not found at boot
DNSDetectorDegraded	Anomaly	medium	a per-detector failure is sustained
DNSSourceSilent	Anomaly	medium	no events received from CoreDNS plugin or Tetragon for >1m

tenant-escape (7 types)

Type	Class	Severity	Trigger
CrossTenantExec	Detection	critical	exec into a pod whose namespace belongs to a different tenant than the caller
CrossTenantHostPathOverlap	Detection	critical	pod create with hostPath overlapping another tenant’s mount
CrossTenantNetworkPolicy	Detection	critical	NetworkPolicy / CiliumNetworkPolicy crosses a tenant boundary
CrossTenantSecretAccess	Detection	critical	get/list on a Secret outside the caller’s tenant
TenantBoundaryOverlap	Anomaly	critical	two TenantBoundary CRs claim the same namespace
TenantBoundaryEmpty	Anomaly	high	the index has zero boundaries (cluster has no tenancy model)
TenantEscapeSourceLagged	Anomaly	medium	audit-bus consumer lag exceeded the warning threshold

honeypot (4 types)

Type	Class	Severity	Trigger
HoneypotTriggered	Detection	critical	something accessed a decoy Secret or SA
HoneypotMisplaced	Detection	high	a decoy was found outside its declared namespace
HoneypotConfigInvalid	Anomaly	high	the HoneypotConfig failed validation
HoneypotDecoyMissing	Anomaly	high	the deployer’s index expected a decoy that the apiserver doesn’t return

forensics (6 types)

Type	Class	Severity	Trigger
IncidentCaptureCompleted	Forensic	high	the IR pipeline finished all 3 steps; evidence sealed
IncidentCaptureFailed	Forensic	high	a step failed permanently; sandbox + freeze rolled back
IncidentCaptureStarted	Forensic	info	the trigger predicate matched and the capture began
EvidencePreserved	Forensic	info	EvidenceUploadStep wrote a content-addressed manifest
PodFrozen	Forensic	info	PodFreezeStep applied the deny-all NetworkPolicy
PodUnfrozen	Forensic	info	the suspect pod was unfrozen (manual ack or auto-unfreeze)

seccomp-gen (3 types)

Type	Class	Severity	Trigger
SeccompTrainingFailed	PolicyViolation	high	the engine couldn’t subscribe to the bridge or the training window expired with no syscalls observed
SeccompTrainingCompleted	PolicyViolation	info	training window closed; SeccompTrainingProfile produced
SeccompTrainingStarted	PolicyViolation	info	engine attached to the target pod’s syscalls

backup-verify (4 types)

Type	Class	Severity	Trigger
BackupVerifyMismatch	Detection	critical	checksum diff or full-restore diff exceeded the policy threshold
BackupVerifyFailed	Compliance	high	the run itself failed to execute (Velero unreachable, snapshot file missing)
BackupVerifyCompleted	Compliance	info	run completed clean - findings either empty or all below alertOn
BackupVerifyStarted	Compliance	info	run picked up by the controller

compliance-scan (3 types)

Type	Class	Severity	Trigger
ComplianceScanFailed	Compliance	high	backend (kube-bench Job, Falco, CEL) failed to produce a result
ComplianceScanCompleted	Compliance	info	scan completed; findings ranked by worstSeverity
ComplianceScanStarted	Compliance	info	run picked up

confidential-attestation (3 types)

Type	Class	Severity	Trigger
AttestationFailed	Compliance	critical	quote mismatch, device error, or nonce replay
AttestationStarted	Compliance	info	DaemonSet pod began producing the quote
AttestationVerified	Compliance	info	quote matched the policy on PCRs / IDBlock / MRTD

Cross-cutting platform events (18 types)

These are emitted by the SDK runtime singletons (attestor, ttl, backpressure, the emitter) and by individual operators when they detect their own degraded paths or a cluster-wide condition. They drive on-call dashboards rather than incident response.

Type	Class	Severity	Trigger
IncidentBurst	Anomaly	critical	incident rate / minute crossed the alert floor (often a real attack)
KeyRotationEmergency	Anomaly	critical	the configured signing key is past its rotation deadline
RBACEscalationChain	Anomaly	critical	a chain of RBAC grants ending in cluster-admin was observed
WORMIntegrityViolation	Anomaly	critical	the WORM bucket reported a checksum mismatch on read-back
AttestorUnavailable	Anomaly	high	attestor health check failed
AuditLogStreamSilent	Anomaly	high	audit-detection received zero events for a configurable window
BehaviorBaselineDeviation	Anomaly	high	a learned baseline (workload, namespace) is exceeded
ClockSkewDetected	Anomaly	high	NTP skew on a node exceeded 250ms (attestor / Rekor timestamp risk)
EtcdBackpressureHigh	Anomaly	high	the apiserver returned 429 on SE writes
GitOpsConflict	Anomaly	high	the gitops-responder hit an unresolved merge conflict
ImageRevocation	Anomaly	high	a pulled image’s signature is no longer valid (post-pull revocation)
LateralMovementSuspected	Anomaly	high	reasoner-style correlation: the same identity touched several tenants in a short window
TetragonDataInconsistent	Anomaly	high	Tetragon FineGuidance event fields didn’t match the bridge schema
TTLConfigMissing	Anomaly	high	TTL controller can’t find its config in a watched namespace
WORMQuotaExceeded	Anomaly	high	bucket usage crossed WORMConfig.spec.quotas.softQuotaPercent
AuditBridgeSilent	Anomaly	medium	tenant-escape’s audit-bus subscription went silent
SourceRateLimited	Anomaly	medium	emitter SDK shed events to keep the apiserver responsive
AttestorRecovered	Anomaly	info	attestor returned to healthy after a window of failures

Adding a new type

The catalog is closed by design. To add a type:

1. Append the constant to sdk/pkg/api/v1alpha1/types.go and to the KnownTypes map in types_catalog.go.
2. Update the type-catalog ValidatingAdmissionPolicy enum so the apiserver lets the new spec.type value through.
3. Run hack/ci-local.sh - the type-catalog parity check fails if the constant, the map, and the policy diverge.

The closed catalog is what lets every downstream consumer (dashboards, attestor’s class-to-severity matrix, the gitops router) treat spec.type as a typed enum.