Flags
An exhaustive list of the low-level flags used within AE to generate alerts and categorize traffic is found in the table below. The majority of flags are generated by the Wisdom service using indicator lists and on-the-fly classification in software. Some flags (e.g. beacon) are generated internally within AE as it identifies particular patterns locally.
name | description |
---|---|
alt_dns | DNS server that supports non-ICANN TLDs |
anon | Known anonymizing service endpoint |
bad_asn | Destination IP is within a known bad ASN |
bad_tld | Parent domain has a questionable TLD |
bad_ua | The HTTP request has a known bad user agent value |
beacon | Timing deltas have a regular pattern |
bio | Known link-in-bio service hosting content |
blockchain_lookup | Known blockchain API destination |
blocklist | Item found on a third-party blocklist |
botnet | IP is known to be compromised and part of a botnet |
c2 | Known C2 callback destination |
capture | Malicious credential capture destination |
cert_lookup | Known OCSP service |
cms | Destination appears to run a CMS |
config_request | Client configuration request |
cryptomining | Known mining pool destination |
dns_block | Blocked by 3+ DNS threat blocking providers |
dnscrypt | Known DNSCrypt service |
doh | Known DNS over HTTPS service |
dot | Known DNS over TLS service |
dropper | Known malware distribution site |
dshield | Destination blocked by SANS DShield |
encoded_ip | Destination is an encoded IP |
freedns | Parent domain is a dynamic DNS provider |
hosting | Parent domain is a VPS / hosting provider |
imposter | Registered domain impersonating a known brand |
ip_lookup | Known IP lookup service |
irc | Destination is an IRC server |
malicious_js | Destination hosting malicious JavaScript |
misconfigured | Indicative of system misconfiguration |
oast | Known out-of-band application security testing domain |
opendir | Browsing returns an open directory listing |
p2p | Known P2P destination (e.g. BitTorrent tracker) |
parked | Destination parent domain returns a parking page |
perplexing_domain | Domain label seems perplexing |
perplexing_host | Hostname label seems perplexing |
popup | Malicious pop-up traffic |
ransomware | Known ransomware destination |
rare | Destination is uncommon |
rare_ua | The HTTP request has a rare user agent value |
remote_access | Remote access software traffic |
sandbox | Malware samples communicate with this destination |
sharing | Known image / paste sharing service |
shortener | Destination is a URL shortener |
simulation | Known benign adversary simulation destination |
sinkholed | The destination is sinkholed by a security vendor |
spearphishing | Known spear phishing destination |
storage | Destination is a CDN or storage infrastructure |
survey | Commonly abused survey service to perform phishing |
suspicious_domain | Domain label contains suspicious keywords |
suspicious_tld | Parent domain has a suspicious TLD |
tds | Known malicious traffic direction system |
tor_dns | DNS lookup for a Tor destination |
tunnel | Parent domain is a port forwarding provider |
unique | Destination is unique to this environment |
unreachable_domain | Domain has no name servers |
unusual_port | Destination port associated with C2 activity |
unwanted | Traffic associated with a potentially unwanted program |
vpn | Third-party VPN provider infrastructure |
webhook | Destination is a free webhook service |
young_domain | Domain was registered less than 60 days ago |