Skip to content

Taxonomy of alerts

TeskaLabs provides a taxonomy for organizing and managing the various artefacts generated within the system, making it easier for cyber security analysts to prioritize their workload and respond effectively to security threats.

The taxonomy is organized into following tree:

  • Event
    • Log
    • Complex
  • Ticket
    • Alert
    • Incident

Here is the explaination of each category and their subcategories.


Events are records of activities that occur within an organization's network, systems, or applications.

They can be further classified into:


Logs are basic records generated by various devices, systems, or applications that store information about their activity. Examples include firewall logs, server logs, or application logs. These logs help analysts understand what is happening within the organization's environment and can be used for detecting security threats and anomalies.


Complex events refer to correlated or aggregated events that may indicate a security incident or require further analysis. They are generated by correlators, watchers and other detectors that gather events from various sources, analyze them, and create alerts based on predefined rules or machine learning algorithms.


Tickets are created by cyber security analysts or automated correlators, watchers and detectors to track and manage security events that require attention. The ticket can refer to zero, one or more events.

They can be further classified into:


Alerts are generated when a specific event, series of events, or anomaly is detected that may indicate a potential security threat. Alerts typically require immediate attention from cyber security analysts to triage, investigate, and determine if the ticket is a genuine security incident.


Incidents are confirmed security events that have been investigated and classified as genuine threats. They represent a higher level of severity than alerts and often involve a coordinated response from multiple teams, such as incident response or network administration, to contain, remediate, and recover from the threat.