Skip to main content

Wisdom Flags

The table below provides a comprehensive list of low-level flags that AE uses to generate alerts and categorize network traffic. Most of these flags are generated by a custom-built internal service called Wisdom, which uses indicator lists and real-time classification algorithms.

NameDescription
alt_dnsDNS server that supports non-ICANN TLDs
anonKnown anonymizing service endpoint
bad_asnDestination IP is within a known bad ASN
bad_tldParent domain has a questionable TLD
bad_uaThe HTTP request has a known bad user agent value
beaconTiming deltas have a regular pattern
bioKnown link-in-bio service hosting content
blockchain_lookupKnown blockchain API destination
blocklistItem found on a third-party blocklist
botnetIP is known to be compromised and part of a botnet
c2Known C2 callback destination
captureMalicious credential capture destination
cert_lookupKnown OCSP service
cmsDestination appears to run a CMS
config_requestClient configuration request
cryptominingKnown mining pool destination
dns_blockBlocked by 3+ DNS threat blocking providers
dnscryptKnown DNSCrypt service
dohKnown DNS over HTTPS service
dotKnown DNS over TLS service
dropperKnown malware distribution site
dshieldDestination blocked by SANS DShield
encoded_ipDestination is an encoded IP
freednsParent domain is a dynamic DNS provider
hostingParent domain is a VPS / hosting provider
imposterRegistered domain impersonating a known brand
ip_lookupKnown IP lookup service
ircDestination is an IRC server
malicious_jsDestination hosting malicious JavaScript
misconfiguredIndicative of system misconfiguration
oastKnown out-of-band application security testing domain
opendirBrowsing returns an open directory listing
p2pKnown P2P destination (e.g. BitTorrent tracker)
parkedDestination parent domain returns a parking page
perplexing_domainDomain label seems perplexing
perplexing_hostHostname label seems perplexing
popupMalicious pop-up traffic
ransomwareKnown ransomware destination
rareDestination is uncommon
rare_uaThe HTTP request has a rare user agent value
remote_accessRemote access software traffic
sandboxMalware samples communicate with this destination
sharingKnown image / paste sharing service
shortenerDestination is a URL shortener
simulationKnown benign adversary simulation destination
sinkholedThe destination is sinkholed by a security vendor
spearphishingKnown spear phishing destination
storageDestination is a CDN or storage infrastructure
surveyCommonly abused survey service to perform phishing
suspicious_domainDomain label contains suspicious keywords
suspicious_tldParent domain has a suspicious TLD
tdsKnown malicious traffic direction system
tor_dnsDNS lookup for a Tor destination
tunnelParent domain is a port forwarding provider
uniqueDestination is unique to this environment
unreachable_domainDomain has no name servers
unusual_portDestination port associated with C2 activity
unwantedTraffic associated with a potentially unwanted program
vpnThird-party VPN provider infrastructure
webhookDestination is a free webhook service
young_domainDomain was registered less than 60 days ago