An exhaustive list of the low-level flags used within AE to generate alerts and categorize traffic is found in the table below. The majority of flags are generated by the Wisdom service using indicator lists and on-the-fly classification in software. Some flags (e.g. beacon) are generated internally within AE as it identifies particular patterns locally.

alt_dnsDNS server that supports non-ICANN TLDs
anonKnown anonymizing service endpoint
bad_asnDestination IP is within a known bad ASN
bad_tldParent domain has a questionable TLD
bad_uaThe HTTP request has a known bad user agent value
beaconTiming deltas have a regular pattern
blockchain_lookupKnown blockchain API destination
c2Known C2 callback destination
cert_lookupKnown OCSP service
cmsDestination appears to run a CMS
config_requestClient configuration request
cryptominingKnown mining pool destination
cryptomining_jsJavaScript cryptojacking
ctcDestination blocked by Cyber Threat Coalition
dns_blockBlocked by 3+ DNS threat blocking providers
dnscryptKnown DNSCrypt service
dohKnown DNS over HTTPS service
dotKnown DNS over TLS service
dropperKnown malware distribution site
drupalDestination appears to run Drupal
dshieldDestination blocked by SANS DShield
encoded_ipDestination is an encoded IP
freednsParent domain is a dynamic DNS provider
freenetFreenet traffic indicating circuit setup
hostingParent domain is a VPS / hosting provider
i2pI2P traffic indicating circuit setup
imposterRegistered domain impersonating a known brand
ip_lookupKnown IP lookup service
ircDestination is an IRC server
joomlaDestination appears to run Joomla
mail_serverDestination is a mail server
misconfiguredIndicative of system misconfiguration
name_serverDestination is a DNS server
opendirBrowsing returns an open directory listing
optivDestination blocked by Optiv
p2pKnown P2P destination (e.g. BitTorrent tracker)
perplexing_domainDomain label seems perplexing
perplexing_hostHostname label seems perplexing
phishingKnown consumer phishing site
popupMalicious pop-up traffic
ransomwareKnown ransomware destination
rareDestination is uncommon
rare_uaThe HTTP request has a rare user agent value
remote_accessRemote access software traffic
safebrowsingDestination blocked by Google Safe Browsing
sandboxMalware samples communicate with this destination
sharingKnown image / paste sharing service
shortenerDestination is a URL shortener
sinkholedThe destination is sinkholed by a security vendor
spearphishingKnown spear phishing destination
storageDestination is a CDN or storage infrastructure
suspicious_domainDomain label contains suspicious keywords
suspicious_tldParent domain has a suspicious TLD
talosDestination blocked by Cisco Talos
tdsKnown malicious traffic direction system
torTor traffic indicating circuit setup
tor_dnsDNS lookup for a Tor destination
tunnelParent domain is a port forwarding provider
uniqueDestination is unique to this environment
unreachable_domainDomain has no name servers
unusual_portDestination port associated with C2 activity
unwantedTraffic associated with a potentially unwanted program
vpnThird-party VPN provider infrastructure
webhookDestination is a free webhook service
webriskDestination blocked by Google Web Risk
wordpressDestination appears to run Wordpress
young_domainDomain was registered less than 60 days ago