Overview

Here is a list of the event types we classify during parsing. This is helpful when building Case Groups and other inbound rules and filters.

TypeMapping
Copyright
Spam
Content
Activity
Vulnerability
Open
MailRelayAttempt
Bot
Malware
MalwareHosting
Phishing
NotSpam?
Spamvertised?
BlacklistBlocklist
Trademark
PortScan
DDos
DDosAmplification
IpSpoof
LoginAttack
IPReclamation
DNSProblems
Exploit
ChildAbuseCSAM
RPZ
Trap
CompromisedAccount
CompromisedServer
CompromisedWebsite
CVE
Backdoor
Fraud
Defacement
RogueDNS
Doxing
WebHack
WebCrawler
AuthFailure
Censorship
CompromisedMicrosoftExchange
DNSBlocklist
SSLPoodle
OutdatedDNSSEC
SSLFreak
Propaganda
Violence
DeviceIdentification
IllegalAdvertisement
MaliciousActivity
Harassment

Open Subtypes

Each open event signifies the existence of open ports, with the corresponding sub-events providing details about the services associated with these open ports.

TypeMapping
socks
proxy
router
redis
mongodb
elasticsearch
portmapper
snmp
ntp
tftp
ftp
rdp
rsync
netbios
mqtt
mc_sqlr
mdns_resolver
dns_resolver
ipmi
ldap
adb
afp
ard
ipp
ssl
tls
vpn
cwmp
ms_exchange
chargen
memcached
mssql
natpmp
qotd
ssdp
isakmp
vnc
telnet
xdmcp
db2
smb
hadoop
cisco_smart_install
mail_server
grafana
bitbucket
apache_server
gitlab_server
imap
pop3
http
radmin
ubiquiti
ssh
coap
vpn
smi
bosmon
ms_sharepoint
secvest_alarm_system
directory_listing
citrix
amqp
modbus
kubernetes_api_server
epmd
postgresql
quic
couchdb
docker
sip
stun
dvr
ics
hp_ilo
smarter_mail_server
log4j
zimbra_server
sap
bacnet
qnap
confluence
sophos
h2_web_console
fortigate
ivanti
fortios
canon
ws-discovery
slp
msmq