Skip to main content


An exhaustive list of the low-level flags used within AE to generate alerts and categorize traffic is found in the table below. The majority of flags are generated by the Wisdom service using indicator lists and on-the-fly classification in software. Some flags (e.g. beacon) are generated internally within AE as it identifies particular patterns locally.

alt_dnsDNS server that supports non-ICANN TLDs
anonKnown anonymizing service endpoint
bad_asnDestination IP is within a known bad ASN
bad_tldParent domain has a questionable TLD
bad_uaThe HTTP request has a known bad user agent value
beaconTiming deltas have a regular pattern
bioKnown link-in-bio service hosting content
blockchain_lookupKnown blockchain API destination
blocklistItem found on a third-party blocklist
botnetIP is known to be compromised and part of a botnet
c2Known C2 callback destination
captureMalicious credential capture destination
cert_lookupKnown OCSP service
cmsDestination appears to run a CMS
config_requestClient configuration request
cryptominingKnown mining pool destination
dns_blockBlocked by 3+ DNS threat blocking providers
dnscryptKnown DNSCrypt service
dohKnown DNS over HTTPS service
dotKnown DNS over TLS service
dropperKnown malware distribution site
dshieldDestination blocked by SANS DShield
encoded_ipDestination is an encoded IP
freednsParent domain is a dynamic DNS provider
hostingParent domain is a VPS / hosting provider
imposterRegistered domain impersonating a known brand
ip_lookupKnown IP lookup service
ircDestination is an IRC server
malicious_jsDestination hosting malicious JavaScript
misconfiguredIndicative of system misconfiguration
oastKnown out-of-band application security testing domain
opendirBrowsing returns an open directory listing
p2pKnown P2P destination (e.g. BitTorrent tracker)
parkedDestination parent domain returns a parking page
perplexing_domainDomain label seems perplexing
perplexing_hostHostname label seems perplexing
popupMalicious pop-up traffic
ransomwareKnown ransomware destination
rareDestination is uncommon
rare_uaThe HTTP request has a rare user agent value
remote_accessRemote access software traffic
sandboxMalware samples communicate with this destination
sharingKnown image / paste sharing service
shortenerDestination is a URL shortener
simulationKnown benign adversary simulation destination
sinkholedThe destination is sinkholed by a security vendor
spearphishingKnown spear phishing destination
storageDestination is a CDN or storage infrastructure
surveyCommonly abused survey service to perform phishing
suspicious_domainDomain label contains suspicious keywords
suspicious_tldParent domain has a suspicious TLD
tdsKnown malicious traffic direction system
tor_dnsDNS lookup for a Tor destination
tunnelParent domain is a port forwarding provider
uniqueDestination is unique to this environment
unreachable_domainDomain has no name servers
unusual_portDestination port associated with C2 activity
unwantedTraffic associated with a potentially unwanted program
vpnThird-party VPN provider infrastructure
webhookDestination is a free webhook service
young_domainDomain was registered less than 60 days ago