Skip to main content

Action Taxonomy

All agent events are normalized to a canonical domain:scope:verb format before processing. This taxonomy is used across the entire stack: API ingestion, graph builder, GNN scorer, RAG pipeline, and customer dashboard.

Format

{domain}:{scope}:{verb}
  • domain — System category: mcp, tool, data, auth, net, sys, agent
  • scope — Specific service or context within that domain
  • verb — Atomic operation performed
mcp:github:repo.read
tool:database:query.execute
data:field:pii.access
auth:oauth:token.request
Validation regex: ^[a-z][a-z0-9_]*:[a-z][a-z0-9_]*:[a-z][a-z0-9_.]*$

Domains

Model Context Protocol — Actions through MCP server connections. Highest-growth category.

MCP Lifecycle

ActionDescription
mcp:server:connectAgent connects to MCP server
mcp:server:disconnectAgent disconnects
mcp:server:authenticateAgent authenticates with server
mcp:server:list_toolsAgent discovers available tools
mcp:server:list_resourcesAgent discovers resources
mcp:server:updateServer version change detected

Productivity & Collaboration

ActionDescription
mcp:slack:message.sendSend Slack message
mcp:slack:file.uploadUpload file to Slack
mcp:notion:page.readRead Notion page
mcp:notion:page.writeCreate/update Notion page
mcp:gmail:email.sendSend email via Gmail
mcp:gmail:email.forwardForward email
mcp:linear:issue.createCreate Linear issue
mcp:jira:issue.createCreate Jira issue

Development & DevOps

ActionDescription
mcp:github:repo.readRead repository content
mcp:github:pr.createCreate pull request
mcp:github:pr.mergeMerge pull request
mcp:github:secret.readRead repository secrets
mcp:docker:container.createCreate Docker container
mcp:k8s:secret.readRead Kubernetes secrets
mcp:terraform:apply.executeApply Terraform changes

Data & Analytics

ActionDescription
mcp:postgres:query.executeExecute PostgreSQL query
mcp:snowflake:data.exportExport from Snowflake
mcp:s3:object.readRead S3 object
mcp:s3:object.writeWrite S3 object
mcp:redis:key.readRead Redis key

Cloud & Infrastructure

ActionDescription
mcp:aws:iam.role.modifyModify IAM role
mcp:aws:secrets.readRead AWS Secrets Manager
mcp:gcp:iam.modifyModify GCP IAM
mcp:cloudflare:dns.modifyModify DNS

CRM & Business

ActionDescription
mcp:salesforce:record.readRead Salesforce record
mcp:stripe:payment.createCreate payment
mcp:hubspot:contact.writeCreate/update contact

Compound Threat Sequences

The GNN detects multi-step attack patterns across PRECEDED_BY edges: 
# Exfiltration Chain
tool:database:query.execute → data:field:pii_sensitive.access → net:external:data.send

# Privilege Escalation
auth:permission:check → auth:permission:grant → auth:session:elevate → tool:database:query.execute

# Tool Poisoning (MCP)
mcp:server:connect → mcp:server:list_tools → agent:reasoning:tool.select → mcp:{poisoned_action} → data:field:auth.access → net:external:data.send

# Supply Chain
mcp:server:update → mcp:server:list_tools [descriptions changed] → agent:reasoning:tool.invoke → sys:process:command.execute

Policy Matching

Customer policies reference actions using glob patterns: 
# Block all external email sends
- rule: block
  match: "mcp:gmail:email.send"

# Flag any PII access followed by external send
- rule: flag
  match_sequence:
    - "data:field:pii*.access"
    - "net:external:data.send OR mcp:*:*.send"
  within: 300  # seconds

# Block unverified MCP server connections
- rule: flag
  match: "mcp:server:connect"
  condition: "mcp_context.is_verified == false"

GNN Feature Encoding

When building the graph, the action string is decomposed into features:
FeatureEncodingDimension
domainOne-hot: mcp, tool, data, auth, net, sys, agent7
scopeLearned embedding (hash of scope string)32
verbOne-hot from standard verbs table20
action_fullLearned embedding (hash of full action string)64
The GNN uses both decomposed features (for pattern generalization) and full action embedding (for specific action recognition).