Wisdom Flags
The table below provides a comprehensive list of low-level flags that AE uses to generate alerts and categorize network traffic. Most of these flags are generated by a custom-built internal service called Wisdom, which uses indicator lists and real-time classification algorithms.
| Name | Description |
|---|---|
| alt_dns | DNS server that supports non-ICANN TLDs |
| anon | Known anonymizing service endpoint |
| bad_asn | Destination IP is within a known bad ASN |
| bad_tld | Parent domain has a questionable TLD |
| bad_ua | The HTTP request has a known bad user agent value |
| beacon | Timing deltas have a regular pattern |
| bio | Known link-in-bio service hosting content |
| blockchain_lookup | Known blockchain API destination |
| blocklist | Item found on a third-party blocklist |
| botnet | IP is known to be compromised and part of a botnet |
| c2 | Known C2 callback destination |
| capture | Malicious credential capture destination |
| cert_lookup | Known OCSP service |
| cms | Destination appears to run a CMS |
| config_request | Client configuration request |
| cryptomining | Known mining pool destination |
| dns_block | Blocked by 3+ DNS threat blocking providers |
| dnscrypt | Known DNSCrypt service |
| doh | Known DNS over HTTPS service |
| dot | Known DNS over TLS service |
| dropper | Known malware distribution site |
| dshield | Destination blocked by SANS DShield |
| encoded_ip | Destination is an encoded IP |
| freedns | Parent domain is a dynamic DNS provider |
| hosting | Parent domain is a VPS / hosting provider |
| imposter | Registered domain impersonating a known brand |
| ip_lookup | Known IP lookup service |
| irc | Destination is an IRC server |
| malicious_js | Destination hosting malicious JavaScript |
| misconfigured | Indicative of system misconfiguration |
| oast | Known out-of-band application security testing domain |
| opendir | Browsing returns an open directory listing |
| p2p | Known P2P destination (e.g. BitTorrent tracker) |
| parked | Destination parent domain returns a parking page |
| perplexing_domain | Domain label seems perplexing |
| perplexing_host | Hostname label seems perplexing |
| popup | Malicious pop-up traffic |
| ransomware | Known ransomware destination |
| rare | Destination is uncommon |
| rare_ua | The HTTP request has a rare user agent value |
| remote_access | Remote access software traffic |
| sandbox | Malware samples communicate with this destination |
| sharing | Known image/paste sharing service |
| shortener | Destination is a URL shortener |
| simulation | Known benign adversary simulation destination |
| sinkholed | The destination is sinkholed by a security vendor |
| spearphishing | Known spear phishing destination |
| storage | Destination is a CDN or storage infrastructure |
| survey | Commonly abused survey service to perform phishing |
| suspicious_domain | Domain label contains suspicious keywords |
| suspicious_tld | Parent domain has a suspicious TLD |
| tds | Known malicious traffic direction system |
| tor_dns | DNS lookup for a Tor destination |
| tunnel | Parent domain is a port forwarding provider |
| unique | Destination is unique to this environment |
| unreachable_domain | Domain has no name servers |
| unusual_port | Destination port associated with C2 activity |
| unwanted | Traffic associated with a potentially unwanted program |
| vpn | Third-party VPN provider infrastructure |
| webhook | Destination is a free webhook service |
| young_domain | Domain was registered less than 60 days ago |