Wisdom Flags
The table below provides a comprehensive list of low-level flags that AE uses to generate alerts and categorize network traffic. Most of these flags are generated by a custom-built internal service called Wisdom, which uses indicator lists and real-time classification algorithms.
Name | Description |
---|---|
alt_dns | DNS server that supports non-ICANN TLDs |
anon | Known anonymizing service endpoint |
bad_asn | Destination IP is within a known bad ASN |
bad_tld | Parent domain has a questionable TLD |
bad_ua | The HTTP request has a known bad user agent value |
beacon | Timing deltas have a regular pattern |
bio | Known link-in-bio service hosting content |
blockchain_lookup | Known blockchain API destination |
blocklist | Item found on a third-party blocklist |
botnet | IP is known to be compromised and part of a botnet |
c2 | Known C2 callback destination |
capture | Malicious credential capture destination |
cert_lookup | Known OCSP service |
cms | Destination appears to run a CMS |
config_request | Client configuration request |
cryptomining | Known mining pool destination |
dns_block | Blocked by 3+ DNS threat blocking providers |
dnscrypt | Known DNSCrypt service |
doh | Known DNS over HTTPS service |
dot | Known DNS over TLS service |
dropper | Known malware distribution site |
dshield | Destination blocked by SANS DShield |
encoded_ip | Destination is an encoded IP |
freedns | Parent domain is a dynamic DNS provider |
hosting | Parent domain is a VPS / hosting provider |
imposter | Registered domain impersonating a known brand |
ip_lookup | Known IP lookup service |
irc | Destination is an IRC server |
malicious_js | Destination hosting malicious JavaScript |
misconfigured | Indicative of system misconfiguration |
oast | Known out-of-band application security testing domain |
opendir | Browsing returns an open directory listing |
p2p | Known P2P destination (e.g. BitTorrent tracker) |
parked | Destination parent domain returns a parking page |
perplexing_domain | Domain label seems perplexing |
perplexing_host | Hostname label seems perplexing |
popup | Malicious pop-up traffic |
ransomware | Known ransomware destination |
rare | Destination is uncommon |
rare_ua | The HTTP request has a rare user agent value |
remote_access | Remote access software traffic |
sandbox | Malware samples communicate with this destination |
sharing | Known image / paste sharing service |
shortener | Destination is a URL shortener |
simulation | Known benign adversary simulation destination |
sinkholed | The destination is sinkholed by a security vendor |
spearphishing | Known spear phishing destination |
storage | Destination is a CDN or storage infrastructure |
survey | Commonly abused survey service to perform phishing |
suspicious_domain | Domain label contains suspicious keywords |
suspicious_tld | Parent domain has a suspicious TLD |
tds | Known malicious traffic direction system |
tor_dns | DNS lookup for a Tor destination |
tunnel | Parent domain is a port forwarding provider |
unique | Destination is unique to this environment |
unreachable_domain | Domain has no name servers |
unusual_port | Destination port associated with C2 activity |
unwanted | Traffic associated with a potentially unwanted program |
vpn | Third-party VPN provider infrastructure |
webhook | Destination is a free webhook service |
young_domain | Domain was registered less than 60 days ago |