Tag Definitions

Botnet

The botnet assessment depicts:

The malware assessment depicts:

typically a host used to exploit and/or drop malware to a host for the first time
typically NOT a botnet controller (although they could overlap)
communications with these indicators may lead to a compromise and then to a possible botnet controller communication (if the infection was successful).
typically used in preemptive blocking, alerts may not indicate infection was successful

Typical examples might include items from:

The phishing assessment depicts:

a luring attempt at a victim to exfiltrate some sort of credential
a targeted attempt at getting someone to unintentionally cause infection (spear phishing)

Typical examples might include items from:

The fastflux assessment depicts:

The scanner assessment depicts:

typically infrastructure being used to scan or brute-force (ssh, rdp, telnet, etc...)

Typical examples might include observations from:

The spam assessment depicts:

The search assessment depicts:

The suspicious assessment depicts:

Unknown assessment
used as the "last default" assessment, combined with "description" for more accurate assessment (eg: assessment- suspicious, description- 'hijacked prefix', or assessment- suspicious, description- 'nameserver').

The Whitelist assessment depicts:

denotes that specific entity (usually an address) should be considered harmless in nature
denotes that blocking an entity would result in mass collateral damage (eg: yahoo virtually hosted servies)
confidence should be applied to each entry to help calculate risk associated with whitelist