Skip to main contentGuardian Ops uses a comprehensive system of event types to classify and categorize different types of abuse reports. This reference provides a complete list of all supported event types and their subtypes.
Event Types without Subtypes
These event types are standalone classifications that don’t require additional subtype information.
Security & Infrastructure
AuthFailure
- Authentication failure attempts
Backdoor
- Backdoor installations or access
Blacklist
- IP addresses appearing on security blacklists
CompromisedAccount
- Compromised user accounts
CompromisedServer
- Compromised servers or systems
CompromisedWebsite
- Compromised websites
DDos
- Coordinated efforts to overwhelm systems with excessive traffic
DDosAmplification
- Exploitation of amplification vulnerabilities to magnify DDoS attacks
Defacement
- Website defacement
DNSBlocklist
- DNS-based blocklist entries
DNSProblems
- Fraudulent messages from compromised DNS/email servers
Exploit
- Software or commands that exploit system vulnerabilities to compromise security
IPReclamation
- IP prefix hijacking or unauthorized IP address use
IpSpoof
- IP address spoofing
LoginAttack
- Repeated unauthorized attempts to gain access to systems or accounts
MaliciousActivity
- General malicious activity
MalwareHosting
- Hosting malicious content
OutdatedDNSSEC
- Outdated DNSSEC configurations
PortScan
- Systematic attempts to discover open ports and potential vulnerabilities
RogueDNS
- Rogue DNS services
SSLFreak
- SSL FREAK vulnerability
SSLPoodle
- SSL POODLE vulnerability
Trap
- Honeypot or trap hits
Unknown
- Used when content is too broad to categorize specifically
WebCrawler
- Automated web crawling and indexing activity
WebHack
- Web application attacks
Content & Legal
Censorship
- Censorship-related content
ChildAbuse
- Child abuse material
Copyright
- Copyright infringement
Doxing
- Doxing or personal information exposure
Fraud
- Fraudulent activities
Harassment
- Online harassment
IllegalAdvertisement
- Illegal advertising
NotSpam
- MARF reports marked as not spam
Phishing
- Phishing attacks
Propaganda
- Propaganda content
Spam
- Email spam
Spamvertised
- Content advertised through spam
Trademark
- Trademark infringement
Specialized
CompromisedMicrosoftExchange
- Compromised Microsoft Exchange servers
Event Types with Subtypes
Event types with subtypes provide additional granular classification. The subtype provides specific context about the nature of the abuse.
Bot (subtype key: bot_type)
Botnet-related activity with specific bot family identification.
- Malware family names (e.g.,
conficker
, zeus
)
CVE (subtype key: cve_name)
Exploitation attempts targeting specific Common Vulnerabilities and Exposures.
- CVE identifiers (e.g.,
CVE-2021-44228
)
Malware (subtype key: malware_name)
Malware hosting, distribution, or infection events.
- Malware family names (dynamically determined based on threat intelligence)
Open (subtype key: service)
Services that are unexpectedly open or exposed. The Open event type includes over 100 subtypes organized into 12 categories:
- Network Services SOCKS, proxy, router, VPN services
- Database Services Redis, MongoDB, Elasticsearch, SQL databases, etc.
- File/Directory Services FTP, TFTP, SMB, AFP, rsync, etc.
- Remote Access Services RDP, VNC, SSH, Telnet, Citrix, etc.
- Web/HTTP Services HTTP, Apache, SSL/TLS services
- Mail Services Mail servers, IMAP, POP3 protocols
- DNS Services DNS resolvers and mDNS services
- Management/Monitoring SNMP, IPMI, LDAP, CWMP protocols
- Industrial/IoT Services ICS, Modbus, BACnet, CoAP, MQTT
- Network Time NTP synchronization services
- Media/Messaging NetBIOS, SIP, STUN, AMQP protocols
- Specialized Services 36 enterprise applications and specialized protocols
For the complete list with detailed descriptions, see Open Event Subtypes Reference