Guardian Ops uses a comprehensive system of event types to classify and categorize different types of abuse reports. This reference provides a complete list of all supported event types and their subtypes.

Event Types without Subtypes

These event types are standalone classifications that don’t require additional subtype information.

Security & Infrastructure

  • AuthFailure - Authentication failure attempts
  • Backdoor - Backdoor installations or access
  • Blacklist - IP addresses appearing on security blacklists
  • CompromisedAccount - Compromised user accounts
  • CompromisedServer - Compromised servers or systems
  • CompromisedWebsite - Compromised websites
  • DDos - Coordinated efforts to overwhelm systems with excessive traffic
  • DDosAmplification - Exploitation of amplification vulnerabilities to magnify DDoS attacks
  • Defacement - Website defacement
  • DNSBlocklist - DNS-based blocklist entries
  • DNSProblems - Fraudulent messages from compromised DNS/email servers
  • Exploit - Software or commands that exploit system vulnerabilities to compromise security
  • IPReclamation - IP prefix hijacking or unauthorized IP address use
  • IpSpoof - IP address spoofing
  • LoginAttack - Repeated unauthorized attempts to gain access to systems or accounts
  • MaliciousActivity - General malicious activity
  • MalwareHosting - Hosting malicious content
  • OutdatedDNSSEC - Outdated DNSSEC configurations
  • PortScan - Systematic attempts to discover open ports and potential vulnerabilities
  • RogueDNS - Rogue DNS services
  • SSLFreak - SSL FREAK vulnerability
  • SSLPoodle - SSL POODLE vulnerability
  • Trap - Honeypot or trap hits
  • Unknown - Used when content is too broad to categorize specifically
  • WebCrawler - Automated web crawling and indexing activity
  • WebHack - Web application attacks

Content & Legal

  • Censorship - Censorship-related content
  • ChildAbuse - Child abuse material
  • Copyright - Copyright infringement
  • Doxing - Doxing or personal information exposure
  • Fraud - Fraudulent activities
  • Harassment - Online harassment
  • IllegalAdvertisement - Illegal advertising
  • NotSpam - MARF reports marked as not spam
  • Phishing - Phishing attacks
  • Propaganda - Propaganda content
  • Spam - Email spam
  • Spamvertised - Content advertised through spam
  • Trademark - Trademark infringement

Specialized

  • CompromisedMicrosoftExchange - Compromised Microsoft Exchange servers

Event Types with Subtypes

Event types with subtypes provide additional granular classification. The subtype provides specific context about the nature of the abuse.

Bot (subtype key: bot_type)

Botnet-related activity with specific bot family identification.
  • Malware family names (e.g., conficker, zeus)

CVE (subtype key: cve_name)

Exploitation attempts targeting specific Common Vulnerabilities and Exposures.
  • CVE identifiers (e.g., CVE-2021-44228)

Malware (subtype key: malware_name)

Malware hosting, distribution, or infection events.
  • Malware family names (dynamically determined based on threat intelligence)

Open (subtype key: service)

Services that are unexpectedly open or exposed. The Open event type includes over 100 subtypes organized into 12 categories:
  • Network Services SOCKS, proxy, router, VPN services
  • Database Services Redis, MongoDB, Elasticsearch, SQL databases, etc.
  • File/Directory Services FTP, TFTP, SMB, AFP, rsync, etc.
  • Remote Access Services RDP, VNC, SSH, Telnet, Citrix, etc.
  • Web/HTTP Services HTTP, Apache, SSL/TLS services
  • Mail Services Mail servers, IMAP, POP3 protocols
  • DNS Services DNS resolvers and mDNS services
  • Management/Monitoring SNMP, IPMI, LDAP, CWMP protocols
  • Industrial/IoT Services ICS, Modbus, BACnet, CoAP, MQTT
  • Network Time NTP synchronization services
  • Media/Messaging NetBIOS, SIP, STUN, AMQP protocols
  • Specialized Services 36 enterprise applications and specialized protocols
For the complete list with detailed descriptions, see Open Event Subtypes Reference