Event Types without Subtypes
These event types are standalone classifications that don’t require additional subtype information.Security & Infrastructure
AuthFailure
- Authentication failure attemptsBackdoor
- Backdoor installations or accessBlacklist
- IP addresses appearing on security blacklistsCompromisedAccount
- Compromised user accountsCompromisedServer
- Compromised servers or systemsCompromisedWebsite
- Compromised websitesDDos
- Coordinated efforts to overwhelm systems with excessive trafficDDosAmplification
- Exploitation of amplification vulnerabilities to magnify DDoS attacksDefacement
- Website defacementDNSBlocklist
- DNS-based blocklist entriesDNSProblems
- Fraudulent messages from compromised DNS/email serversExploit
- Software or commands that exploit system vulnerabilities to compromise securityIPReclamation
- IP prefix hijacking or unauthorized IP address useIpSpoof
- IP address spoofingLoginAttack
- Repeated unauthorized attempts to gain access to systems or accountsMaliciousActivity
- General malicious activityMalwareHosting
- Hosting malicious contentOutdatedDNSSEC
- Outdated DNSSEC configurationsPortScan
- Systematic attempts to discover open ports and potential vulnerabilitiesRogueDNS
- Rogue DNS servicesSSLFreak
- SSL FREAK vulnerabilitySSLPoodle
- SSL POODLE vulnerabilityTrap
- Honeypot or trap hitsUnknown
- Used when content is too broad to categorize specificallyWebCrawler
- Automated web crawling and indexing activityWebHack
- Web application attacks
Content & Legal
Censorship
- Censorship-related contentChildAbuse
- Child abuse materialCopyright
- Copyright infringementDoxing
- Doxing or personal information exposureFraud
- Fraudulent activitiesHarassment
- Online harassmentIllegalAdvertisement
- Illegal advertisingNotSpam
- MARF reports marked as not spamPhishing
- Phishing attacksPropaganda
- Propaganda contentSpam
- Email spamSpamvertised
- Content advertised through spamTrademark
- Trademark infringement
Specialized
CompromisedMicrosoftExchange
- Compromised Microsoft Exchange servers
Event Types with Subtypes
Event types with subtypes provide additional granular classification. The subtype provides specific context about the nature of the abuse.Bot (subtype key: bot_type)
Botnet-related activity with specific bot family identification.- Malware family names (e.g.,
conficker
,zeus
)
CVE (subtype key: cve_name)
Exploitation attempts targeting specific Common Vulnerabilities and Exposures.- CVE identifiers (e.g.,
CVE-2021-44228
)
Malware (subtype key: malware_name)
Malware hosting, distribution, or infection events.- Malware family names (dynamically determined based on threat intelligence)
Open (subtype key: service)
Services that are unexpectedly open or exposed. The Open event type includes over 100 subtypes organized into 12 categories:- Network Services SOCKS, proxy, router, VPN services
- Database Services Redis, MongoDB, Elasticsearch, SQL databases, etc.
- File/Directory Services FTP, TFTP, SMB, AFP, rsync, etc.
- Remote Access Services RDP, VNC, SSH, Telnet, Citrix, etc.
- Web/HTTP Services HTTP, Apache, SSL/TLS services
- Mail Services Mail servers, IMAP, POP3 protocols
- DNS Services DNS resolvers and mDNS services
- Management/Monitoring SNMP, IPMI, LDAP, CWMP protocols
- Industrial/IoT Services ICS, Modbus, BACnet, CoAP, MQTT
- Network Time NTP synchronization services
- Media/Messaging NetBIOS, SIP, STUN, AMQP protocols
- Specialized Services 36 enterprise applications and specialized protocols